During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. As a result, more exploitation attempts are recorded on application programs. The most "popular" applications for exploitation tend to change over time since the rationale for targeting a particular application often depends on factors like prevalence or the inability to effectively patch. Due to the current trend of converting trusted web sites into malicious servers, browsers and client-side applications that can be invoked by browsers seem to be consistently targeted.Web Application Attacks
There appear to be two main avenues for exploiting and compromising web servers: brute force password guessing attacks and web application attacks. Microsoft SQL, FTP, and SSH servers are popular targets for password guessing attacks because of the access that is gained if a valid username/password pair is identified. SQL Injection, Cross-site Scripting and PHP File Include attacks continue to be the three most popular techniques used for compromising web sites. Automated tools, designed to target custom web application vulnerabilities, make it easy to discover and infect several thousand web sites.
Windows: Conficker/Downadup
Attacks on Microsoft Windows operating systems were dominated by Conficker/ Downadup worm variants. For the past six months, over 90% of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-067. Although in much smaller proportion, Sasser and Blaster, the infamous worms from 2003 and 2004, continue to infect many networks.
Apple: QuickTime and Six More
Apple has released patches for many vulnerabilities in QuickTime over the past year. QuickTime vulnerabilities account for most of the attacks that are being launched against Apple software. Note that QuickTime runs on both Mac and Windows Operating Systems. The following vulnerabilities should be patched for any QuickTime installations: CVE-2009-0007, CVE-2009-0003, CVE-2009-0957.
Origin and Destination Analysis for Four Key Attacks
Over the past six months, we have seen some very interesting trends when comparing the country where various attacks originate to the country of the attack destination. In order to show these results, we have characterized and presented the data in relation to the most prevalent attack categories. The analysis performed for this report identified these attack categories as high-risk threats to most if not all networks, and as such, should be at the forefront of security practitioners' minds. These categories are Server-Side HTTP attacks, Client-Side HTTP attacks, PHP Remote File Include, Cross-site Scripting attacks, and finally SQL Injection attacks. As you might expect, there is some overlap in these categories, with the latter three being subsets of the first two categories. However, the trends we see in separating this data is worth pointing out.
The SQL Injection attacks that compose this category include "SQL Injection using SELECT SQL Statement", "SQL Injection Evasion using String Functions", and "SQL Injection using Boolean Identity". The most prominent "PHP Remote File Include attack" is one that looks for a very small HTTP request that includes a link to another website as a parameter that contains a very specific evasion technique used by a number of attacks to increase the reliability of their attacks. Also of note is a very specific attack against the "Zeroboard PHP" application, the only single application that made the top attacks. The final type of attack included in these statistics is one of the more popular "HTTP Connect Tunnel" attacks, which remains a staple in the Server-Side HTTP category. The HTTP connect tunnels are used for sending spam emails via mis-configured HTTP servers.
Application Patching is Much Slower than Operating System Patching
Qualys scanners collect anonymized data of detected vulnerabilities to capture the changing dynamics in the vulnerability assessment field. The data documents changes such as the decline of server side vulnerabilities and the corresponding rise of vulnerabilities on the client side, both in operating system components and applications. A Top 30 ranking is used often to see if major changes occur in the most frequent vulnerabilities found. Here is the ranking for the first half of 2009 TH edited to remove irrelevant data points such as 0-day vulnerabilities.
Description
1. WordPad and Office Text Converters Remote Code Execution Vulnerability (MS09-010)
2. Sun Java Multiple Vulnerabilities (244988 and others)
3. Sun Java Web Start Multiple Vulnerabilities May Allow Elevation of Privileges(238905)
4. Java Runtime Environment Virtual Machine May Allow Elevation of Privileges (238967)
5. Adobe Acrobat and Adobe Reader Buffer Overflow (APSA09-01)
6. Microsoft SMB Remote Code Execution Vulnerability (MS09-001)
7. Sun Java Runtime Environment GIF Images Buffer Overflow Vulnerability
8. Microsoft Excel Remote Code Execution Vulnerability (MS09-009)
9. Adobe Flash Player Update Available to Address Security Vulnerabilities (APSB09-01)
10. Sun Java JDK JRE Multiple Vulnerabilities (254569)
11. Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-067)
12. Microsoft Office PowerPoint Could Allow Remote Code Execution (MS09-017)
13. Microsoft XML Core Services Remote Code Execution Vulnerability (MS08-069)
14. Microsoft Visual Basic Runtime Extended Files Remote Code Execution Vulnerability (MS08-070)
15. Microsoft Excel Multiple Remote Code Execution Vulnerabilities (MS08-074)
16. Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (MS09-028)
17. Microsoft Word Multiple Remote Code Execution Vulnerabilities (MS08-072)
18. Adobe Flash Player Multiple Vulnerabilities (APSB07-20)
19. Adobe Flash Player Multiple Security Vulnerabilities (APSB08-20)
20. Third Party CAPICOM.DLL Remote Code Execution Vulnerability
21. Microsoft Windows Media Components Remote Code Execution Vulnerability (MS08-076)
22. Adobe Flash Player Multiple Vulnerabilities (APSB07-12)
23. Microsoft Office Remote Code Execution Vulnerability (MS08-055)
24. Adobe Reader JavaScript Methods Memory Corruption Vulnerability (APSA09-02 and APSB09-06)
25. Microsoft PowerPoint Could Allow Remote Code Execution (MS08-051)
26. Processing Font Vulnerability in JRE May Allow Elevation of Privileges(238666)
27. Microsoft Office Could Allow Remote Code Execution (MS08-016)
28. Adobe Acrobat/Reader "util.printf()" Buffer Overflow Vulnerability (APSB08-19)
29. Adobe Acrobat and Adobe Reader Multiple Vulnerabilities (APSB08-15)
30. Windows Schannel Security Package Could Allow Spoofing Vulnerability (MS09-007)
Zero-Day Vulnerability Trends
A zero-day vulnerability occurs when a flaw in software code is discovered and code exploiting the flaw appears before a fix or patch is available. Once a working exploit of the vulnerability has been released into the wild, users of the affected software will continue to be compromised until a software patch is available or some form of mitigation is taken by the user.
The "File Format Vulnerabilities" continue to be the first choice for attackers to conduct zero-day and targeted attacks. Most of the attacks continue to target Adobe PDF, Flash Player and Microsoft Office Suite (PowerPoint, Excel and Word) software. Multiple publicly available "fuzzing" frameworks make it easier to find these flaws. The vulnerabilities are often found in 3rd party add-ons to these popular and wide-spread software suites, making the patching process more complex and increasing their potential value to attackers.
The notable zero-day vulnerabilities during past 6 months were:
* Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862)
* Microsoft Office Web Components ActiveX Control Code Execution Vulnerability (CVE-2009-1136)
* Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (CVE-2008-0015)
* Microsoft DirectX DirectShow QuickTime Video Remote Code Execution Vulnerability (CVE-2009-1537)
* Adobe Reader Remote Code Execution Vulnerability (CVE-2009-1493)
* Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2009-0556)
The ease of finding zero-day vulnerabilities is a direct result of an overall increase in the number of people having skills to discover vulnerabilities world-wide. This is evidenced by the fact that TippingPoint DVLabs often receives the same vulnerabilities from multiple sources.
For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability.
The implication of increasing duplicate discoveries is fairly alarming, in that the main mitigation for vulnerabilities of this type is patching, which is an invalid strategy for protecting against zero-day exploits. There is a heightened risk from cyber criminals, who can discover zero-day vulnerabilities and exploit them for profit. Add to this that software vendors have not necessarily lowered their average time for patching vulnerabilities reported to them, and that TippingPoint is aware of a number of vulnerabilities that were reported to vendors two years ago and are still awaiting a patch.
http://www.zerodayinitiative.com/advisories/upcoming/
This makes zero-day exploits in client-side applications one of the most significant threats to your network, and requires that you put in place additional information security measures and controls to complement your vulnerability assessment and remediation activities.
Fonte: http://www.sans.org/top-cyber-security-risks/#trends
Nessun commento:
Posta un commento