Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of the software or the data that it processes. Some of the worst vulnerabilities allow attackers to exploit the compromised system by causing it to run malicious code without the user’s knowledge.  New research in the latest volume of the Microsoft Security Intelligence Report, volume 16, provides insight into the journey that remote code execution (RCE) exploits take between their first use and their eventual inclusion in criminal exploit kits that seek to attack systems on a mass scale.

The parties that initially disclose vulnerabilities are not always the same parties that go on to develop and use exploits that take advantage of them. Vulnerability disclosures originate from a variety of sources, from dangerous disclosures (such as from malicious exploit developers and vulnerability sellers) to limited beneficial disclosures (such as the affected software vendors themselves and security researchers who are committed to coordinated vulnerability disclosure).

To explore how exploits make their way into criminal hands, Microsoft analyzed exploits targeting the 16 RCE vulnerabilities in various software products that had known exploits discovered between January 2012 and February 2014.

Figure 1: The first, second, and third parties responsible for known exploits of the 16 RCE software vulnerabilities studied, discovered between January 2012 and February 2014

Of these 16 vulnerabilities, nine were initially exploited in targeted attacks against specific targets. In these attacks, often called “advanced persistent threats” or “targeted attacks by determined adversaries,” the attacker concentrates on compromising a single designated target by using a variety of technical and social engineering techniques. Such attackers are often able to draw upon considerable technological and financial resources, which can include obtaining exclusive access to previously-unknown vulnerabilities that the target is unlikely to have mitigated. For more information on targeted attacks by determine adversaries check out the Targeted Attacks video series

Of the remaining seven vulnerabilities studied, exploits for three were first released via public exploit framework, exploits for two were released through commercial sellers, and two were released by security researchers.

Exploits for eight of the vulnerabilities subsequently showed up in public exploit frameworks. A public exploit framework is a tool designed to help test computer systems for vulnerability to a variety of exploits. Two of these exploits then appeared in criminal exploit kits.

Most of the exploits studied were first used in targeted attacks that posed a risk to relatively few people. Criminal exploit kits have the potential to affect a much larger number of people. But exploits for only two of the 16 vulnerabilities studied were used in exploit kits, and it’s important to note that these were added to the kits several months after security updates that addressed the vulnerabilities were published and widely distributed. 

Call to Action
Although the small sample size in this study makes generalization difficult, these findings suggest that installing security updates quickly is one of the best ways to mitigate the risk from exploits. Streamlining your organization’s security update deployment process and expediting the deployment of security updates for severe vulnerabilities in all vendor’s software will help mitigate risk for your organization. Using the newest versions of applications is a good mitigation, as newer versions are typically more resilient to attacks. Using the Enhanced Mitigation Experience Toolkit (EMET) can also help mitigate these types of attacks.

Tim Rains
Trustworthy Computing