Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
As I wrote in the last article we published, based on new data from the Microsoft Security Intelligence Report volume 13 (SIRv13), exploit activity has increased substantially over the past year: Exploit Activity at Highest Levels in Recent Times: The Importance of Keeping All Software Up To Date. The data I shared in that article illustrates just how much exploit activity has increased since the second quarter of 2011 (2Q11).
Figure 1 (left): Unique computers reporting different types of exploits, 1Q11–2Q12; Figure 2 (right): Top exploit families detected by Microsoft antimalware products in the second half of 2011 and first half of 2012, by number of unique computers with detections, shaded according to relative prevalence
Blacole, a family of exploits used by the so-called Blackhole exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012 by a large margin. This kit can be bought or rented on hacker forums and through other illegitimate outlets. The kit consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components (a full list is provided in Figure 3). When the attacker loads the Blacole kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through a drive-by download attack. I have written about this exploit kit before: The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date
Figure 3: Specific vulnerabilities targeted by the Blacole exploit kit in the first quarter of 2012 (1Q12) and second quarter of 2012 (2Q12), by number of unique computers reporting detections of each one
All of the vulnerabilities listed in Figure 3 were addressed by security updates from the affected vendors between 2006 and 2012. The most commonly detected Blacole exploits during both quarters targeted CVE-2010-1885, a vulnerability that affects the Windows Help and Support Center in Windows XP and Windows Server 2003; Microsoft issued Security Bulletin MS10-042 in July 2010 to address this issue. CVE-2012-0507, a vulnerability in the Oracle Java Runtime Environment (JRE), was added to the Blacole kit in late March of 2012 and accounted for the second highest number of exploits attributed to the kit in 2Q12. CVE-2011-2110, a vulnerability in Adobe Flash Player, accounted for the second largest number of Blacole exploits detected in 1Q12 and the third largest number in 2Q12. Adobe released Security Bulletin APSB11-18 in June 2011 to address the issue. Blacole exploitation of CVE-2011-3544, a vulnerability in the Java Runtime Environment, is decreasing, as Blacole authors have shifted their focus to newer exploits; it accounted for the largest number of Blacole exploits detected in 1Q12, but fell 14.6% to ninth place in 2Q12. Oracle released a security update in October 2011 to address the issue.
Defending against Blacole exploitsWe included some guidance in SIRv13 to help defend against exploitation by Blacole. That guidance is provided to you here verbatim for convenience.
In years past it was rare to see an exploit in the top ten list of threats for a country/region. In the second quarter of 2012 at least one exploit was in the top ten list of threats for 51 locations of the 105 countries/regions (49%) reported on in SIRv13. Blacole is in the top ten lists of twenty-seven of these locations including Australia, Austria, Belgium, Canada, Chile, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Portugal, Russia, Spain, Sweden, Switzerland, Ukraine, United Kingdom, United States, and Uruguay. Take steps to evaluate the risks in your environment and mitigate them as soon as possible.
Tim Rains Director Trustworthy Computing