Cyber threat protection must shield the most targeted end-user applications, says security firm Trusteer.
These applications usually include the most common applications because attackers have more targets and they typically receive external content and have security vulnerabilities for which there is an exploit.
By focusing on these applications, organisations can maximise the effectiveness of their cyber defences.
Targeted applications must receive external content because attackers must have some way of delivering malicious content to end-users, said Dana Tamir, director of enterprise security at Trusteer.
This can be an HTML webpage that contains a hidden Java applet or an email attachment like a Word document, Excel spreadsheet or PDF document that contains hidden code.
This code executes when the application such as the browser, Java, Word, Excel or Adobe Acrobat reader opens the content, and exploits vulnerabilities in these applications to download malware on the endpoint.
“If an application does not receive external content, it would be impossible for the attacker to deliver the weaponised content and the exploit,” said Tamir.
Vulnerable applications provide the attacker an opportunity to develop an exploit and an application that has many exploitable vulnerabilities will be targeted more often, she said.
According to Tamir, zero-day vulnerabilities – which are vulnerabilities that are unknown – are more likely to be successfully exploited because there is no patch available.
Read more on application security
- Secunia: More focus needed on third-party application security
- Application security: Testing for insecure file references
- Application security best practices for the cable industry
- Security Zone: An open source approach to web application security
- Software lifecycle: App security still struggling to find a fit
- Mobile application security best practices to protect corporate data
- Web application security testing: Is a pen test or code review better?
However, Tamir said known application vulnerabilities are still exploited because many users do not apply security patches in a timely manner.
Considering the characteristics of targeted applications, Tamir said it is not surprising that the most targeted end-user applications include browsers, Java applications, Adobe Acrobat, Flash, Word, Excel, PowerPoint and Outlook.
“These are all common applications found on most user endpoints. They all receive external content that can be weaponised. They all contain vulnerabilities: most of them are known but periodically we hear about zero-day vulnerabilities. And exploit kits that contain exploit codes are widely available,” she said
The RSA breach illustrates this, said Tamir, because according to the blog RSA posted, the attacker used a spear-phishing campaign to deliver a weaponised attachment to employees.
“The spear-phishing email included a weaponised attachment - an Excel spreadsheet, containing a zero-day exploit object,” she said.
It exploited an Adobe Flash vulnerability (CVE-2011-0609) to install a customised remote access Trojan known as the Poison Ivy RAT.
“Both Excel and Adobe Flash are common targeted applications that can be found on most user endpoints,” said Tamir.
For this reason, she said any advanced threat protection and exploit prevention technology must ensure that these targeted end-user applications are not successfully exploited.
But because these applications are very different from each other, special controls may be required for each application, said Tamir.
For example – Java applications are vulnerable to both native exploits (execute at the memory level) and applicative exploits (execute in the user space by breaking out of the JVM sandbox).
“Solutions that apply granular controls at the OS level to protect against native exploits would not be able to protect against applicative exploits,” she said.