Symantec Global internet Security threat report
these vulnerabilities has been automated by attackers. Enterprises may benefit from this information because it provides an indication of the types of vulnerabilities that attackers are most likely to employ in attacks and how to best protect against these vulnerabilities.
the top attacked vulnerability in 2009 was the Microsoft Windows SMB2 ‘_Smb2ValidateproviderCallback()’ remote Code Execution Vulnerability (table 9).106 publicly announced in September 2009, this vulnerability was initially believed to be a DoS vulnerability that would let attackers crash Windows.107 However, within a week it was discovered that the vulnerability could let attackers execute arbitrary code and completely compromise affected computers.108 A number of publicly and commercially available exploits for the vulnerability were subsequently released. in October 2009, Microsoft released patches to address the vulnerability. Considering that exploits for this vulnerability can be easily automated, it is interesting that the vulnerability has not been associated with any worm activity. Symantec believes that the cause of the attack activity is due to the availability of reliable exploits that are either standalone or bundled with a number of freely and commercially available penetration testing tools.
the vulnerability is limited to Windows Vista®, Windows Server® 2008, and pre-release versions of Windows 7. the security features in these newer versions have been an obstacle for attackers, who have thus far relied on vulnerabilities in third-party software such as Web browsers and browser plug-ins to gain a foothold on these new versions. However, a successful exploit of this vulnerability will compromise the affected computer at the kernel level, which could let attackers install rootkits once the computer has been compromised. these factors could indicate that attackers are increasingly targeting newer versions of the Windows operating system. Additionally, since the attacker does not need to entice the victim to perform actions such as visiting a malicious Web page, it is possible for attackers to scan the internet for potential targets and initiate attacks at random. Since the attack can be automated at little cost to the attacker, they can reach a large number of publicly facing targets that are affected by the vulnerability. this is in contrast to the other vulnerabilities on the top five, which are client-side in nature. Client-side vulnerabilities can be used to attack harder to reach targets on the internal network of an organization. the top attacked vulnerability from 2008 could also be exploited in the same automated fashion (table 10). When vulnerabilities possess the characteristics necessary to facilitate automated scanning and exploitation, attackers will continue to capitalize on them.
1 2 3 4 5
Table 9. Top attacked vulnerabilities, 2009 Source: Symantec
it should be noted that Symantec uses the same signature to detect BiD 36594 Microsoft Windows SMB2 Command Value remote Code Execution Vulnerability; however, Symantec believes that the majority of attack activity was associated with the Smb2ValidateproviderCallBack vulnerability due to the number of public exploits associated with that vulnerability. http://www.securityfocus.com/bid/36299 http://www.symantec.com/connect/blogs/bsod-and-possibly-more