Symantec Global internet Security threat report
the “Vulnerability Trends” section of this report notes that the percentage of plug-in vulnerabilities affecting Adobe reader in comparison to the total number of browser plug-in vulnerabilities increased to 15 percent in 2009, from 4 percent in 2008 (figure 9). in the previous volume of this report, Symantec noted that attackers are increasingly targeting Adobe reader. the large growth of Web-based attacks using malicious pDF files and plug-in vulnerabilities affecting Adobe reader—as observed in 2009 and noted above—indicates that this is a continuing trend. Considering that some users may be unaware of the danger or are slow to install patches for the issue, it is reasonable to assume that attacks against existing pDF-related vulnerabilities will continue in the near future.
in 2009, the second most common Web-based attack was associated with the Microsoft internet Explorer ADODB.Stream Object File installation Weakness,50 which accounted for 18 percent of the global total— a decrease from 2008 when this vulnerability accounted for 30 percent of the total during that reporting period. this vulnerability allows attackers to install malicious files on a vulnerable computer when a user visits a website hosting an exploit. to carry out this attack, an attacker must exploit an arbitrary vulnerability that bypasses internet Explorer security settings. the attacker can then execute malicious files installed by the initial security weakness. this vulnerability was disclosed on August 23, 2003, and fixes have been available since July 2, 2004. this indicates that a large percentage of computers are not being adequately patched in a timely manner.
in their efforts to exploit vulnerabilities, attackers not only employ manual methods, but they also use automated tools, such as neosploit to exploit client-side vulnerabilities on a massive scale.51 Such toolkits have become widely available and are easy enough to implement that even people with minimal technical knowledge can use them effectively. the market for these toolkits is now sophisticated enough that updated versions are released on a development schedule, advertising the inclusion of exploits for the latest vulnerabilities while retaining previous exploits. this may well contribute to the continued prevalence of the Microsoft internet Explorer ADODB.Stream Object File installation Weakness. Despite a patch being released in 2004, there are still a significant number of toolkit-based attacks occurring that attempt to exploit this issue. this underlines the importance of security measures and patches that address old issues as well as new ones.
the Microsoft internet Explorer ADODB.Stream Object File installation Weakness was the most common Web-based attack in 2008, and the reduced activity observed in 2009 may indicate that fewer computers are running older, susceptible versions of internet Explorer (as is discussed in the “Web browser vulnerabilities” metric). it is reasonable to assume that the prominence of this attack will continue to decline as more users make the switch to browser versions that are not affected by the weakness.
the third most common Web-based attack in 2009 exploited the internet Explorer 7 Uninitialized Memory Code Execution Vulnerability,52 accounting for 6 percent of the total. this vulnerability was published on February 10, 2009, and fixes have been available since that time. Seven days after that date, the issue was being actively exploited in the wild and exploit code was publicly available on February 18, 2009.
50 51 52
See http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=50031 or http://www.securityfocus.com/bid/10514 http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyname=Security&articleid=9115599&taxonomyid=17&pagenumber=1 See http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23291 or http://www.securityfocus.com/bid/33627