Symantec Global internet Security threat report
the remainder of the top attacked vulnerabilities in 2009 comprised several client-side vulnerabilities. in July 2009, Symantec observed widespread attacks on the MpEG2tunerequest vulnerability in relation to the Fostrem Downloader.109 in this report, the Fostrem Downloader was the eighth-highest ranked new malicious code sample for 2009. the Adobe reader Collab geticon vulnerability was found to be associated with the neoSploit attack toolkit.110
Attacks continue to evolve for the purpose of evading detection by intrusion detection and prevention systems and improving the reliability of exploitation. in February 2009, Symantec noted new attempts to obfuscate attacks on vulnerabilities, including the second-top attacked vulnerability for 2008.111 these attacks were also associated with various trojans and rogue security applications. in September 2009, Symantec published a blog analyzing various techniques employed in the wild to obfuscate malicious pDFs to evade detection by security software.112 Additionally, a Symantec blog discussed various techniques (presented at the Black Hat® technical Security Conference in 2009) that were being used in drive-by attacks to better guide exploits against browsers, plug-ins, and client software.113 these techniques are already deployed in attack toolkits such as Mpack,114 Firepack, neosploit, and Luckysploit.115 Lastly, Symantec observed a malicious pDF attack that attempted to exploit three separate vulnerabilities with the same malicious file.116 the goal of the attack was to install malicious code to steal sensitive information.
1 2 3 4 5
31874 Microsoft Windows Server Service RPC Handling Remote Code Execution 32608 Java SE Runtime Environment and Java SE Development Kit Multiple Security Vulnerability 30114 Snapshot Viewer for Microsoft Access® ActiveX Control Arbitrary File Download 32721 Microsoft Internet Explorer XML Handling Remote Code Execution 28157 RealNetworks RealPlayer® ‘rmoc3260.dll’ ActiveX Control Memory Corruption
Table 10. Top attacked vulnerabilities, 2008 Source: Symantec
to limit exposure to attacks, organizations should deploy iDS and ipS systems along with antivirus on desktops within the enterprise. this may aid in detecting and preventing client-side, malicious code, and other attacks on users within the organization. Heuristic detections within these products may block malformed content and prevent unknown attacks. Behavioral detection may detect and prevent attacks that result in anomalous behavior. Organizations should consider running operating systems that include address space layout randomization (ASLr) 117 and other memory protection technologies that can complicate the exploitation of many vulnerabilities. third-party intrusion prevention products often offer ASLr and memory protection capabilities.
109 110 111 112 113 114 115 116 117
http://www.symantec.com/connect/blogs/another-unpatched-vulnerability-being-massively-exploited-internet-explorer http://www.symantec.com/connect/blogs/yet-another-pdf-vulnerability-exploited-collabgeticon http://www.symantec.com/connect/blogs/new-obfuscated-scripts-wild-lgpl http://www.symantec.com/connect/blogs/fight-against-malicious-pdfs-using-ascii85decode-filter http://www.symantec.com/connect/blogs/black-hat-2009-drive-improvements http://www.symantec.com/connect/blogs/mpack-packed-full-badness#M93 http://www.symantec.com/connect/blogs/black-hat-2009-drive-improvements http://www.symantec.com/connect/blogs/has-elvis-left-building ASLr is a security mechanism that randomizes data in memory to prevent the success of attacks that leverage memory corruption vulnerabilities, such as buffer overflows.