Exploiting the exploitable: New software vulnerabilities down, but risk remains high, Secunia reports

By | February 21, 2012

Posted in: Network Security Trends

“If the Rebels have obtained a complete technical reading of this station, it is possible, however unlikely, they might find a weakness and exploit it.”

The geek in me couldn’t resist the Star Wars quote to kick off a post on software vulnerabilities and exploits. If the Empire had designed the Death Star the way most software has been created, Luke wouldn’t have needed The Force to blow it into zillion sparkling points of light. This year’s software security report by Secunia, which specializes in vulnerability risk management tools, reveals a continuing pattern of widespread vulnerabilities and exploits across thousands of software programs, including those that are most prevalent on employees’ desktops. It is not only possible, but very likely cyber criminals will find a weakness and exploit it.

It’s worth stressing at the outset that while the “sky is falling” headlines often scream about zero-day exploits, most attacks exploit known, unpatched vulnerabilities. In fact, older vulnerabilities are among the most widely exploited. For example, the most exploited web-based vulnerability according to a recent report by M86, Microsoft Internet Explorer RDS ActiveX , was disclosed and patch in s 2006 and is among the exploits in Blackhole, currently by far the most popular exploit toolkit. Even targeted attacks may exploit known vulnerabilities. The aim is to get in, and an unpatched vulnerability is just as good as a zero-day if it isn’t patched.

The largest risk, Secunia reports, is still among the 20 vendors that are most prevalent on desktops; they accounted for 63% of the CVE’s (Common Vulnerabilities and Exposures) in 2011. The good news is that the total number of CVE’s in 2011 (3,551) was well below the average (4,645) over 2006-2010. And among the top 20 vendors the number of new vulnerabilities in perennial whipping boy Microsoft and newer whipping boy Adobe were down significantly last year.

That being said, attackers are still going to go after new and older vulnerabilities in popular software, where they’ll get the get the best return on their investment. Criminals deploy massive, wide-ranging attacks that scan for numerous vulnerabilities and carry exploit packages. They can quickly adapt the payloads based on the newest vulnerabilities and/or simply what seems to be working the most. They’re adapting to what’s hot in their business.

And, attackers are exploiting vulnerabilities in some relatively less popular software programs. On the low end, Secunia notes, a third of the programs with a market share between 10% and 20% have known vulnerabilities. While the report naturally steers this way, since Secunia definitely has a dog in this hunt, their point is quite valid in terms of risk: Most organizations, even if they have an aggressive vulnerability management program, are likely to focus on Microsoft and perhaps a few other vendors whose software is prevalent on their desktops, and pay little if any attention to second- and third-tier desktop software.

And, of course, that’s just the authorized software that the company knows about. Unless your PCs are really locked down, your users are running all sorts of undocumented and vulnerable stuff on their laptops.

The conclusions to be drawn are that you still have to concentrate most of your vulnerability management effort on the areas of greatest exposure, but the threats are pervasive, automated and continuous. Minimize your risk, and monitor your logs and your networks for indications of successful attack, because it has already happened.




You May Also Be Interested In: