After analyzing public vulnerabilities and exploit trends in the first half of 2014, Bromium Labs concluded that Internet Explorer is the “sweet spot for attackers.”
“Internet Explorer was the most patched and also one of the most exploited products,” the report (pdf) states. Microsoft’s browser “set a record high for reported vulnerabilities in the first half of 2014” and also “leads in publicly reported exploits.”
Adobe Flash player has been another prime target. “Flash exploits require DEP and ASLR bypass for successful execution.”
There’s no slowdown of zero-day exploitation, with attacks targeting end-user apps like web browsers and productivity apps like Microsoft Office.
Typically these attacks are launched leveraging users as bait using classic spear-phishing tactics. The notable aspect for this year thus far in 2014 is that Internet Explorer was the most patched and also one of the most exploited products, surpassing Oracle Java, Adobe Flash and others in the fray. Bromium Labs believes that the browser will likely continue to be the sweet spot for attackers.
Action Script Virtual Machine attacks and ROP bypass using Action Script Spray are emerging zero-day exploitation techniques, according to Bromium.
So far in 2014, the following three “severe” vulnerabilities were exploited for Action Script Virtual Machine (ASVM) attacks: CVE-2014-0497, CVE-2014-0502, CVE- 2014-0515. “Unlike the first two exploits, CVE-2014-0515 used a relatively new technique to bypass ASLR allowing dynamic crafting of ROP chain called Action Script Spray.”
Bromium reports, “Almost all Internet Explorer memory corruption exploits now use de facto ROP (Return Oriented Programming) techniques for bypassing the default Operating System security mechanisms (ASLR, DEP). Both the IE zero days exploits leveraged ‘Action Script Spray’ technique to bypass ASLR.”
Regarding ROP bypass using Action Script Spray, Bromium noted, “Both IE exploits released in 2014 (CVE-2014-1776, CVE-2014-0322) used Flash to build the ROP chain and launch shellcode. This technique leverages the way dense arrays are allocated in memory.” Attacks leveraging Action Script Sprays are “more complex than a traditional heap spray, which indicates that cybercriminals are ready to invest more time and resource s into development of new techniques in response to ever increasing protection measures.”
Java, surprisingly, had no reported zero-days in the first half of 2014, “despite its past notorious reputation.” Disabling Java is likely the reason attackers were forced to switch targets.
While Internet Explorer and Adobe Flash have been “the targets of choice in the first half of 2014,” web browser plugins are the “weak link that is just waiting for exploitation in the future.” Bromium added that “the prevalence of IE+Flash is much higher than IE+Java JRE, so this provides the attackers with a bigger opportunity.”
Web browser release cycles are compressing and the interval between the general availability of a new release and the appearance of the first security patches has been decreasing recently. This may represent greater efforts on the part of software manufacturers to secure their products, or it may represent products being released to market with less security testing than earlier versions received. Notably ‘Use - After - Free’ type vulnerabilities were the favorite of zero day attackers.