X hits on this document

PDF document

Symantec enterpriSe Security - page 45 / 97





45 / 97

Symantec Global internet Security threat report

Zero-day vulnerabilities

A zero-day vulnerability is one that appears to have been exploited in the wild prior to being publicly known. it may not have been known to the affected vendor prior to exploitation and that at the time of the exploit activity the vendor had not released a patch. in the absence of available patches, zero-day vulnerabilities represent a serious threat since, in many cases, they likely will be able to evade purely signature-based detection. it is the unexpected nature of zero-day threats that causes concern, especially because they may be used in targeted attacks and in the propagation of malicious code.

in 2009, Symantec documented 12 zero-day vulnerabilities, which is more than the nine zero-day vulnerabilities documented in 2008. in 2009, there was some diversification in the types of zero-day vulnerability documented. in previous years, Symantec observed a trend toward targeting Microsoft Office® suite and internet Explorer. in 2009, four zero-day vulnerabilities were related to Adobe reader, while six were related to various Microsoft components including DirectX®, iiS, and Office. Additionally, there were no “region-specific” applications targeted in 2009, as was seen in previous years. it may be that attackers no longer view attacks on region-specific applications as profitable.

Zero-day vulnerabilities continue to be employed in malicious code attacks. in June 2009, a zero-day vulnerability affecting Microsoft DirectShow® was exploited to install trojan.Cipevas on vulnerable computers.118 in early attacks for this vulnerability, malicious web pages that exploited the vulnerability were linked to phishing sites. in addition to attempting to steal credentials in phishing attacks, these attacks also directed to malicious pages that were attempting to exploit the vulnerability.

in February of 2009, attackers were exploiting a zero-day vulnerability in Microsoft Excel® to install the Mdropper.AC trojan horse.119 Attacks exploiting this vulnerability used various techniques to try to evade detection. Firstly, to avoid arousing suspicion when the victim of the attack opened a malicious document, the exploit presented a legitimate spreadsheet. Secondly, binary code embedded in the malicious spreadsheet was obfuscated to make it more difficult to detect the payload of the attack. these types of techniques are becoming standard practice in client-side attacks because of heuristic detections that have been able to identify suspicious and malformed files in a generic manner. thus, attacks employing malformed documents and files must implement sufficient obfuscation or appear normal enough to not trigger heuristic detections.

Another zero-day vulnerability was exploited in February of 2009 in pidief.E trojan attacks targeting Adobe reader. Symantec believes that the motive for these attacks was to compromise high-ranking individuals within different organizations.120 the exploit attempts also used the ability to embed JavaScript within pDF documents as means to improve the reliability of exploitation. Adobe reader was the target of other zero- day attacks during the year, such as the pidief.H attack that occurred in December of 2009.121

Vulnerabilities—protection and mitigation

in addition to the specific steps required to protect against the vulnerabilities discussed in this section, there are general steps that should be taken to protect against the exploitation of vulnerabilities. Administrators should employ a good asset management system to track the assets that are deployed on the network and to determine which ones may be affected by the discovery of new vulnerabilities.

118 119 120 121

http://www.symantec.com/connect/blogs/directshow-exploit-wild http://www.symantec.com/security_response/writeup.jsp?docid=2009-022310-4202-99 http://www.symantec.com/connect/blogs/targeted-pdfs-used-exploits http://www.symantec.com/connect/blogs/zero-day-xmas-present


Document info
Document views132
Page views132
Page last viewedFri Oct 21 20:28:58 UTC 2016