HTML and Java exploitation rose sharply within the second half 2011, primarily driven by pesky automated toolkits that make attacks relatively easy to tug off, in step with a vulnerability and threat analysis report conducted by Microsoft.
We do not believe the tactics are more advanced or any further sophisticated than the automatic attacks we have seen for your time now.Tim Rains, director of product management, Microsoft Trustworthy Computing
Exploits targeting HTML weaknesses and Java vulnerabilities dominated all attacks in 2011, in response to version 12 of the Microsoft Security Intelligence Report, issued today. The analysis was performed using data from the company's security software user base, which include greater than 600 million systems -- primarily users of Microsoft's Malicious Software Removal Tool.
JS/Blacole, or usually often called the Black Hole Exploit Toolkit, is thought to be behind the majority of the attacks. The automatic attack toolkit helps attackers build the Zeus, Cutwail, Spyeye and Carberp botnets used to spread spam and malware. It also was recently detailed in an annual threat report issued last week by HP DVLabs, which found widespread exploitation of common Web application vulnerabilities tied to Black Hole.
HTML and JavaScript, the most typical website scripting languages, were favorite attack vectors for cybercriminals. A prevalent sort of attack continues to involve malicious IFrames, an attack technique related to adware. Despite anti-cross-site scripting (XSS) features added to browsers, attackers are finding success in targeting Java weaknesses to lure users into downloading malware.  a contemporary annual threat report from IBM's X-Force threat research team supports the Microsoft data. It found attackers are targeting browser components with automated toolkits in place of targeting the browser, despite a rise in browser flaws.
These attacks are successful because enterprises are rampant with weak passwords and unpatched vulnerabilities, said Tim Rains, director of product management in Microsoft's Trustworthy Computing group. Employees also are easily prone to social engineering techniques, he said. The main target on advanced persistent threats (APT) or targeted attacks shouldn't be helpful for enterprise CISOs, because most people may be targeted with broad-based automated attacks, Rains said.
“We do not believe the tactics are more advanced or any longer sophisticated than the automatic attacks we have seen for a while now,†Rains said.Â
Fewer vulnerabilities disclosed
Vulnerability disclosures around the industry in 2011 were down 11.8% from 2010, Microsoft said. High-severity vulnerabilities decreased 31% from the primary half 2011, continuing a near-constant rate of decline because the first half 2010, in accordance with Microsoft. The software giant bases its figures on vulnerability severity, using ratings from the Common Vulnerability Scoring System (CVSS).
Microsoft's Rains said the whole decrease in vulnerability disclosures can also be attributed to a type of factors. Businesses were improving their software development processes to incorporate security, he said. Bug hunters also are realizing new how to monetize their research, leading some to believe that critical vulnerabilities are going unreported.
“We're looking to change the conversation from finding vulnerabilities to ways we will develop new classes of mitigation and defenses, so even though vulnerabilities exist, attackers can't reach them,†he said.Â
In a contemporary interview with SearchSecurity.com, Katie Moussouris, senior security strategist lead for the Microsoft Security Response Center, described how vulnerability disclosure is changing. Moussouris, who works directly with security researchers who find vulnerabilities, said vendors have got more responsive and researcher cooperation has increased. Moussouris estimates that 80% of vulnerabilities are privately disclosed to Microsoft rather than them surfacing as zero-days.
“There's an awful lot to be learned from the research community, both outside and inside Microsoft,†she said. “Part of this is searching for exploitable issues so we enjoy a cooperative relationship with the research community.â€Â
Application vulnerabilities make up the majority of the vulnerability disclosures, accounting for 71% of all vulnerability disclosures inside the second half 2011. Both application and Web browser vulnerability disclosures increased in that period. Meanwhile, operating system flaw disclosures decreased by greater than 34% within the second 1/2 2011. OS flaw disclosures ranked below browser vulnerability disclosures for the primary time since a minimum of 2003, Microsoft said.
Microsoft is also producing fewer security updates. In 2011, the Microsoft Security Response Center released 100 security bulletins, addressing 236 individual CVEâ€"identified vulnerabilities, decreases of seven% and six%, respectively, from 2010.
Nessun commento:
Posta un commento
Comments links could be nofollow free