Study finds attacks slip past spotty patch management policies

A study finds attackers targeting firms with poor patch management policies, exploiting vulnerabilities that should have been patched years ago.

According to a report issued this week from security vendor M86 Security (.pdf), organisations and individuals still leave themselves open to attack by failing to install important software security patches.

The company examined malware trends from July to December 2011, and discovered that although cybercriminals are carrying out more sophisticated, targeted attacks, the most commonly exploited vulnerability was one in Internet Explorer 6 (IE6), for which a patch has existed since 2006.

The vast majority of attacks use known and patched vulnerabilities.

Ziv Mador
M86 Security Labs

Attacks exploit unpatched systems
Ziv Mador, head of malware research at M86 Security Labs in Israel, said many companies with lax patch management policies are taking unnecessary risks because they are failing to patch their systems quickly.

“If people followed basic precautions, the risks could be greatly reduced,” Mador said. “If there is a zero-day attack they may not be protected, but zero-days don’t happen that frequently. The vast majority of attacks use known and patched vulnerabilities.”

M86 monitored Internet traffic during the last six months of 2011 and found 17.7% of all pages containing Web exploits targeted the RDS ActiveX vulnerability in IE6 (CVE-2006-0003), for which Microsoft provided a patch more than five years ago. The second most targeted vulnerability, found in 6.3% of pages, was a Java flaw patched in 2010; and 3.9% of pages targeted a Microsoft Office vulnerability dating back to 2002, for which there was also a patch.

Attacked embedded in layers
Mador conceded the criminals are constantly honing their skills and developing new techniques to evade detection. The study frequently found malware embedded deep inside files to avoid being picked up by antivirus engines, he said.

“We now see malware embedded in the second – or even the third or fourth – layer,” he said. “For instance, Duqu used a zero-day that was in a font file, which was in a Word document. And we have seen an infected Flash file embedded in another Flash file embedded in a PDF.”

Exploit kits commonly used
The M86 report also showed exploit kits are increasingly used in attacks. The kits provide less skilled hackers with a ready-made tool to allow them to mount sophisticated attacks and, according to the report, most cybercriminals use at least one exploit kit as part of an attack.

The kit of choice in the last half of 2011 was Black Hole, a tool developed in Eastern Europe and used in 95.1% of malicious URLs. Its great attraction, according to M86, is its frequent updating. For example, when the vulnerability known as CVE-2011-3544 Oracle Java Applet Rhino Script Engine Remote Code Execution was published at the end of November, it was exploited within days by Black Hole.

The report also underlined the need for more security awareness among users, since many of the attacks are now launched through social networking sites where unsuspecting users are lured into downloading infected files or going to infected websites.

For example, in one August 2011 campaign, spam messages were sent out purporting to come from Facebook, but instead brought users to a fake Facebook login page and ultimately to the Black Hole exploit kit and a Zbot Trojan. The M86 report advised users should be warned to not automatically trust these sorts of notifications, and should check for fraud by hovering the mouse over the link to reveal its true destination.

Read more on Hackers and cybercrime prevention