Introduction | 2011 In Review | 2011 In Numbers | Executive Summary | Safeguarding Secrets: Industrial Espionage in Cyberspace | Against the Breach: Securing Trust and Data Protection | Consumerization and Mobile Computing: Balancing the Risks and Benefits in the Cloud | Spam Activity Trends | Malicious Code Trends | Closing the Window of Vulnerability: Exploits and Zero-day Attacks | Conclusion: What’s Ahead in 2012
Closing the Window of Vulnerability: Exploits and Zero-day Attacks
A vulnerability is a weakness, such as a coding error or design flaw that allows an attacker to compromise availability, confidentiality, or integrity of a computer system. Early detection and responsible reporting helps to reduce the risk that a vulnerability might be exploited before it is repaired.
Number of vulnerabilitiesWe identified 4,989 new vulnerabilities in 2011, compared to 6,253 the year before. (See Appendix D for more historical data and details on our methodology.) Despite this decline, the general trend over time is still upward and Symantec discovered approximately 95 new vulnerabilities per week.
Weaknesses in critical infrastructure systemsSCADA systems (Supervisory Control and Data Acquisition) are widely used in industry and utilities such as power stations for monitoring and control. We saw a dramatic increase in the number of publicly-reported SCADA vulnerabilities from 15 in 2010 to 129 in 2011. Since the emergence of the Stuxnet worm in 2010xxxv, SCADA systems have attracted wider attention from security researchers. However, 93 of the 129 new published vulnerabilities were the product of just one security researcher.
Old vulnerabilities are still under attackOn PCs, a six-year old vulnerabilityxxxvi in many Microsoft operating systems was, by far, the most frequently attacked vulnerability in 2011, clocking in at over 61 million attacks against the Microsoft Windows RPC componentxxxvii. It was more heavily attacked than the next four vulnerabilities put togetherxxxviii.
The most commonly exploited data file format in 2011 was PDF. For example, one PDF-related vulnerability attracted more than a million attacks in 2011.
Patches are available for all five of the most-attacked vulnerabilities, so why do criminals still target them? There are several explanations.
- They are cheaper to attack. Criminals have to pay a premium on black market exchangesxxxix for information about newer vulnerabilities but they can buy malware off the shelf to target old ones.
- Attacking newer vulnerabilities may attract more attention than going after older, well-known weaknesses. Some online criminals prefer a lower profile.
- There is a still a large pool of potential victims because a proportion of the user base can’t, won’t or don’t install patches or install a current and active endpoint security product.
Web browser vulnerabilitiesWeb browsers are a popular target for criminals and they exploit vulnerabilities in browsers such as Internet Explorer, Firefox or Chrome as well as plugins such as PDF readers. Criminals can buy toolkits for between USD $100 and USD $1,000 that will check up to 25 different vulnerabilities when someone visits an infected Web site.
In 2011, we saw a big drop off in reported vulnerabilities in all the popular browsers from a total of 500 in 2010 to a total of 351 in 2011. Much of this improvement was due to a big reduction in vulnerabilities in Google Chrome.
Overall, the number of vulnerabilities affecting browser plug-ins dropped very slightly from 346 to 308.
New zero-day vulnerabilities create big risksA zero-day attack exploits an unreported vulnerability for which no vendor has released a patch. This makes them especially serious because they are much more infective. If a non-zero-day attack gets past security, it can still be thwarted by properly-patched software. Not so a zero-day attack.
For example, in 2011 we saw vigorous attacks against a vulnerability in Adobe Reader and Adobe Acrobat that lasted for more than two weeks and peaked at more than 500 attacks a day before Adobe released a patch.
The good news is that 2011 had the lowest number of zero day vulnerabilities in the past 6 years; Adobe Flash and Reader account for half of them. While the overall number of zero day vulnerabilities is down, attacks using these vulnerabilities continue to be successful which is why they are often used in targeted attacks, such as W32.Duqu.
xxxvFor more on Stuxnet see: http://www.symantec.com/connect/blogs/hackers-behind-stuxnet and http://www.youtube.com/watch?v=cf0jlzVCyOI xxxviCVE-2008-4250 See http://www.securityfocus.com/bid/31874 xxxvii61.2 million attacks were identified against Microsoft Windows RPC component in 2011, and were mostly using the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). See http://www.securityfocus.com/bid/31874 xxxviiiAppendix D: Vulnerability Trends: Figure D.3 xxxixSee http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/231900575/more-exploits-for-sale-means-better-security.html