The gap in the fence: the most popular software is the most vulnerable

Imagine the following situation: there is huge disbursement of emails with innocent looking MS Word document attachments sent to the mailboxes of a company’s employees. Some of these employees have been waiting for documents to come in and open these attachments, but then soon realize something is wrong with the files. They close the documents and delete the messages, but have no idea their computers have already been contaminated. The “fallout” then goes smoothly from there: the attachments contain a zero-day exploit for Microsoft Office, of which no one except the attacks knows about, and a remote control tool is planted on the infected computer, leaking important company information out to competitors or the public.

For the HBGary Federal company this very situation took place and ended up in the most grievous of ways, with the closing of the company and a change of owners for the parent company. HBGary Federal management brought the disaster upon itself by deciding to help the FBI in their struggle with finding the “hacktivists” that carried out the attack, but instead received an asymmetrical rebound when thousands of messages and corporate emails were stolen and published; messages and letters that showed HBGary had been involved in some dirty business.

The problem HBGary Federal had was its content management system (CMS), which was developed poorly and therefore had vulnerabilities. Attackers managed to compromise it with a banal SQL-injection, extracting hashes of users’ passwords from the database and managing to crack them with the help of so-calledrainbow tables. It also turned out that the former HBGary Federal executives used the same easy passwords for a lot of different services.

HBGary is not the only example of a network or software vulnerability yielding big problems for commercial companies. Other prominent cases involved the planting of malware with a set of Darkleech exploits within the Los Angeles Times’ subdomain, as well as on Seagate’s and other respected companies’ network resources. At some point even the extremely popular Speedtest.net became a peddler of malicious software. Unfortunately, the most popular software systematically appears to be the most vulnerable.

Below is the list of the most vulnerable software in the late 2012:

Last year we analyzed the data of the Kaspersky Security Network and identified 132 million vulnerable applications, the data sources being the computers of 11 million users. Each individual computer accounted for more than 12 vulnerabilities.

806 vulnerabilities were unique (when talking about MS Windows PCs), and the oldest of those vulnerabilities dated back to February 2003. The most recent was discovered in December 2012.

We selected 37 of the most dangerous security breaches out of that group, selecting only programs containing vulnerabilities that had been installed and used for at least one week in 2012 by more than ten percent of the PC users. Of these 37 we then chose eight vulnerabilities that were used by cybercrimials with a particular zeal: the exploits for each are present in all the remarkable sets of malicious tools.

The most “aggrieved” software is the family of Oracle Java programs. Of the eight regularly exploited vulnerabilities, five came from Oracle Java, two more from on Adobe Flash, and another from Adobe Reader.

It’s unfortunate that users tend to be reluctant to update these programs. Seven weeks after the release of the new version of Oracle Java, only 30% of users chose to update the program, and that was in spite of the threat of losing data!

Java is not only one of the most vulnerable products, it is also the most targeted. 2012 was the year of Java vulnerabilities with 50% of attacks using exploits aimed specifically at this software.

This in itself is not surprising though. Java is a cross-platform software that is installed on more than three billion devices worldwide, working under various operating systems. Correspondingly, exploits may also be cross-platform, like Flashfake botnet, which works on Macs.

Adobe Reader holds the second place on the list of the most attacked software from 2012, with 28% of attacks targeted directly towards it. We must, however, give credit to Adobe, who took to bolstering the security of their products by adding defense tools that made creating exploits for new versions of Adobe Reader cumbersome. But the key word here is “new”, and with users too slow to update their software, the problem is likely to remain.

Windows and Internet Explorer take third place, accounting for 3% of attacks. Active exploits are still aiming at vulnerabilities found back in 2010. One of them is related to the mishandling of JPEG files, but in general direct attacks against Windows and its components are far fewer now than attacks against third-party software for this operating system.

The mobile operating system, Android, stands in fourth place with 2% of attacks, most of which were attempts at obtaining root privileges.

Software vulnerabilities pose the greatest threat to both individual and corporate users. Operating systems themselves may be properly protected or of no particular interest to attackers because of their narrow use, but if there are vulnerabilities within popular software for those operating systems, there are going to be attackers who will break in. Not only the most widespread software is subject to break-ins: in case of targeted attacks any rare professional software packages may also provide alluring gaps for attackers.