Este reporte publicado por la X Force de IBM engloba las nuevas tendencias respecto a vulnerabilidades, spam, pishing, malware, etc del primer semestre del 2008
Mid-Year Highlights Vulnerabilities
- The overall number of vulnerabilities continued to rise as did the overall percentage of high risk vulnerabilities.
- Web-based vulnerabilities and threats continue to increase:
- Over the past few years, the focus of endpoint exploitation has dramatically shifted f rom the operating system to the Web browser and multimedia applications.
- Vulnerabilities af fecting Web server applications are climbing and so are the attacks, both evidenced by newcomers to the most vulnerable vendor list and this year’s automated SQL injection attacks.
- Although standard Web browsers are becoming more secure, attackers continue to rely on automated toolkits, obf uscation , and the prevalence of unpatched browsers and plug-ins to successf ully gain hold of new endpoint victims.
- Although the most exploited Web browser vulnerabilities are one to two years old , the availability of public proof-of-concept and exploit code is speeding the integ ration of more contemporar y exploits into toolkits.
- In the f irst half of 2008, 94 percent of public exploits af fecting Web browser- related vulnerabilities were released on the same day as the disclosure.
- Plug-ins were especially targeted , representing 78 percent of the public exploits af fecting Web browsers.
- Although independent researchers disclose more vulnerabilities overall , research organizations still discover the most cr itical vulnerabilities.
- Independent researchers are almost twice as likely to have exploit code published on the same day as their vulnerability disclosure in compar ison to research organizations.
- Although virt ual machine breakout vulnerabilities tend to get a lot of attention f rom the press, the y are rare and predominantly target x86 platfor ms and Ty pe I I (virt ualization solutions that require a host operating system).
Spam and Phishing
- “Complex” spam (spam that uses images, PDFs, or complex text / HT M L) is on the decline and a simpler ty pe of spam is taking its place.
- This simpler spam relies on Web links and short text messages inside spam e-mails, which may be more dif f icult for some antispam technolog ies to detect.
- The Web links used in this new ty pe of spam use familiar blog or other “personal” domain names that are more likely to tr ick users into clicking the Web link in the spam message.
- The lifespan of the UR Ls associated with UR L spam continues to shr ink, which is another way to avoid antispam technolog ies.
- Financial instit utions continue to be the main phishing target.
- For the f irst half of 2008, a password stealer family that targets online games is inf irst place on the top ten malware list, and , in the password stealer categor y, game- related malware takes 50 percent of the top ten spots overall.
- One of the most common actions malware takes af ter installation is an attempt to evade detection , either by the user or by the secur ity sof tware on the system .
2008 Disclosure Count
X-Force analyzed and documented 3534 v ulnerabilities in the first hal f of 2008, up 5 percent from the first half of 2007, which slightly reverses the trend of declining disclosures that occurred at the end of 2007.
Vulnerability Disclosures by Severity
The X-Force uses multiple methodologies to classify the severity of vulnerabilities. For this report, t wo methodologies are used for trend analysis:
- X-Force Sever ity Classification
- Common Vulnerability Scoring System (CVSS) Classification
X-Force Severity Classification
Although the total number of vulnerability disclosures decreased in 2007, the number of high severity vulnerabilities increased by 28 percent over the previous year. This increase was the first increase in high severity vulnerabilities since
2004. In the first half of 2008, high severity vulnerabilities continued to rise in number and overall percentage, although at a much slower pace in comparison to the change between 2006 and 2007.
X-Force defines high, medium, and low impact v ulnerabilities by the following guidelines:
Security issues that allow immediate remote or local access, or immediate execution of code or commands with unauthorized privileges. Examples are most buffer overflows, backdoors, default or no password, and bypassing security on firewalls or other network components.
Security issues that have the potential to grant access or allow code execution via complex or lengthy exploit procedures, or low risk issues applied to major Internet components. Examples are cross- site scripting, man-in-the-middle attacks, SQL injection, denial of service of major applications, and denial of service resulting in system information disclosure (such as core files).
Security issues that deny service or provide non-system information that could be used to formulate structured attacks on a target, but not to directly gain unauthorized access. Examples are brute force attacks, non-system information disclosure (configurations, paths, etc.), and denial of service attacks.
CVSS Base Scores
The base metrics are comprised of characteristics that generally do not change over time. Base metrics include access vector, complexity, authentication, and the impact bias. Temporal metrics are made up of characteristics of a particular vulnerability that can and often do change over time, and include the exploitability, remediation level, and report confidence. A complete explanation of CVSS and its metrics can be found on the CVSS Web site.
In 2008, only about 1 percent of all vulnerabilities scored in the Critical category, a slight decrease over 2007, where the number of critical vulnerabilities was 2 percent. Even though the percentage of Critical vulnerabilities decreased by a little over a ½ percent, the percentage of High vulnerabilities increased from 37 percent in 2007 to 39 percent in the first half of 2008.
Vendors with the Most Vulnerability Disclosures
Vulnerability disclosures for the top ten vendors in the first half of 2008 accounted for approximately 19 percent of all disclosed vulnerabilities. The table reveals who the top ten vendors are and their percentages of vulnerabilities in the first hal f of 2008.
These statistics do not balance vulnerabilit y disclosures w ith market share, number of products, or the lines of code that each vendor produces. In general, mass-produced and highly distr ibuted or accessible sof t ware is likely to have more v ulnerabilit y disclosures.
New Vendors in the Top Vendor List
The X-Force database team has incor porated a new standard to classify vulnerabilities by vendor. Earlier this year, CPE, or Common Platform Enumeration (more in fo at http: //cpe.mitre.org / ), was incorporated into the database. This new methodology plus some changes in the vulnerabilit y landscape has brought some newcomers to our top ten list:
- Joomla ! , an open-source content management system for Web sites
- WordP ress, a blog publishing software
- Drupal , another open-source content management system for Web sites
An obvious trend demonstrated by the appearance of these vendors on the top ten list is the increasing prevalence of Web-related v ulnerabilities, descr ibed in detail in the Web Application Vulnerabilities section on page 16 and Browser and Other Client-Side Vulnerabilities on page 21. A nother commonalit y bet ween these three vendors is that they are al l w r it ten in PHP. If we look back over last year’s disclosures and apply the new CPE methodolog y to them, we would uncover another newcomer to the top five list, PHP itsel f, which would rank number four in the 2007 top five vendor list.
Vendors with the Highest Percentage of Public Exploits
Another way of assessing the most targeted vendors is to analyze the availability of public exploits for the vulnerabilities that are disclosed. The X-Force definition of “public exploit” follows the standard CVSS ter minology.
Public exploit: Any proof-of-concept demonstrative code, partially or fully functional, or malicious mobile agent, such as malware, that is publicly available.
Some researchers and research organizations will publish either proof-of-concept (PoC ) code or enough details about the vulnerabilit y so that another indiv idual can q uick ly put together and publish a PoC. The public availability of proof-of-concept code increases the likelihood that the v ulnerabilit y w il l face live exploitation either through targeted at tempts or through a mass distribution method, like in an exploit toolk it. Common out lets for these public exploits are exploit testing tools like Metasploit and Canvas.
Analyzing the availabilit y of public exploits by vendor produces a somewhat dif ferent list, and, a f ter rev iew ing the numbers, there are a few clear leaders for the first hal f of 2008. The top three vendors had approximately 50 percent or more public exploits than any other vendor in the top ten. In fact, more than 20 vendors would have been listed in the remaining spots in the top ten, so it was a bit arbitrar y to list the others along w ith the top three. The top three vendors w ith the most public exploits published in the first half of 2008 are listed in next table.
The X-Force Database team tracks the name of the researcher publicly credited with the discovery of a vulnerability, along with any affiliated research organization that the researcher represents at the time. Approximately 16 percent of all vulnerabilities are anonymously disclosed, and the remaining disclosures can be broken down into those that were disclosed by a research organization and those that were disclosed by an independent researcher. Research organizations include for-profit, corporate organizations (like X-Force) and also non-corporate entities that publish research under a standard organizational name.
Over the past 1 ½ years, independent researchers have been responsible for approximately 70 percent of all vulnerability disclosures (critical, high, medium, and low) that were not anonymously disclosed. However, research organizations are responsible for finding nearly 80 percent of
critical vulnerabilities (those with a CVSS base score of 10).
Public Exploits and Discoverers
In addition to track ing the vulnerability discoverer, X-Force also tracks the dates of public exploits that are released for a par ticular v ulnerabilit y. Overal l, we expected to see more public exploits for independent ly discovered v ulnerabilities. Luckily, the percentage of pre-disclosure exploits is very smal l for both research organizations ( 0 percent) and for independent researchers (0.2 percent). However, when it comes to 0-day exploits (those released on the same day as the vulnerabilit y), vulnerabilities released by independent researchers are al most t w ice as likely to have exploit code released on the same day as the v ulnerabilit y disclosure. This trend is somewhat expected since most commercial research organizations fol low a standard vulnerability disclosure process and do not promote the publication of exploit code or proof-of-concepts.
Web Application Vulnerabilities
A lthough most Web-based exploits are generated by exploit toolk its hosted on malicious Web sites, there is a g row ing concer n and focus on Web application v ulnerabilities and exploitation. As this year has show n w ith the rash of automated SQL injection at tacks and compromises, Web-facing applicationscan be ver y v ulnerable to at tacks and highly-publicized when they are at tacked.
Year Over Year Growth in Web Application Vulnerabilities
The number of vulnerabilities affecting Web applications has grown at a staggering rate. From 2006 to the first half of 2008, vulnerabilities affecting Web ser ver applications accounted for 51 percent of all vulnerability disclosures.
Web Application Vulnerabilities by Attack Categories
The predominate t y pes of v ulnerabilities a f fecting Web applications are cross- site scr ipting (XSS), SQL injection, and file include v ulnerabilities. In the past few years, cross-site scr ipting has been the predominant t y pe of Web application v ulnerabilit y, but the first hal f of 2008 saw a marked r ise in SQL injection disclosures, more than doubling the number of v ulnerabilities seen on average over the same time per iod in 2007. This increase explains the spike in the percentage of Web application disclosures attributed to SQL injection in Figure 9. Table 4 descr ibes these major categor ies and the impact they can have on organizations and the customers they serve.
Active Exploitation & Automated SQL Injection Attacks in 2008 H1
In the past, most Web server compromises had been one-off, targeted exploitation attempts that steal information or manipulate an application in a way that is beneficial to the attacker. In the first half of 2008, X-Force began tracking mass Web site exploitation using automated SQL injection attacks. Instead of leveraging SQL injection to steal data, this attack updated the application’s backend data to include iFrames to redirect visitors to malicious Web pages. These attacks targeted many well-known and trusted Web sites and were also integrated into the ASPROX exploit toolkit. Soon after, the number of attacks and sources of attacks began to explode as exemplified through the following data collected through IBM ISS Managed Security Services attack monitoring:
Browser and Other Client-Side Vulnerabilities and Exploits
X-Force has been monitoring significant changes in the threat landscape affecting personal computers, specifically client-side vulnerabilities and the exploits that take advantage of them.
Client-side vulnerabilities: Vulnerabilities affecting the operating system or applications running on personal computers. In addition to the core operating system, vulnerable components could include e-mail clients, Web browsers, document viewers, and multimedia applications.
As mentioned in the Vendors with the Highest Percentage of Public Exploits section, the availability of a public exploit code, either proof-of-concept or fully-functioning, is a key indicator that a vulnerability will suffer active exploitation. The number of client-side vulnerabilities with public exploits has risen dramatically, from less than 5 percent in 2004 to almost 30 percent in the first half of 2008.
Exploitation Targets: From the OS to the Browser
The focus of client-side exploitation has shifted from the operating system to the browser, with multimedia vulnerabilities close behind. This trend loosely follows the changes in vulnerability research, since the operating system has been long the focus of vulnerability researchers. However, the past few years have given rise to research into the diverse application ecosystem, with Web browsers, multimedia applications, and document readers (like Adobe and Microsoft Office) emerging as predominant targets. One such notable
area of research related to multiplatform exploitation based on a multimedia application is discussed in the Security Research section at the end of this report. The following graph shows the shift from the operating system to the browser as it relates to the availability of public exploits.