News

Java, HTML exploits via Black Hole toolkit dominate attacks, Microsoft says

Robert Westervelt

HTML and Java exploitation rose sharply in the second half of 2011, primarily driven by pesky automated toolkits that make attacks relatively easy to pull off, according to a vulnerability

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

and threat analysis report conducted by Microsoft.

We don’t think the tactics are more advanced or any more sophisticated than the automated attacks we’ve seen for some time now.

Tim Rains, director of product management, Microsoft Trustworthy Computing

Exploits targeting HTML weaknesses and Java vulnerabilities dominated all attacks in 2011, according to version 12 of the Microsoft Security Intelligence Report, issued today. The analysis was performed using data from the company’s security software user base, which includes more than 600 million systems -- primarily users of Microsoft’s Malicious Software Removal Tool.

JS/Blacole, or more commonly known as the Black Hole Exploit Toolkit, is believed to be behind the bulk of the attacks. The automated attack toolkit helps attackers build the Zeus, Cutwail, Spyeye and Carberp botnets used to spread spam and malware. It also was recently detailed in an annual threat report issued last week by HP DVLabs, which found widespread exploitation of common Web application vulnerabilities tied to Black Hole.

Top malware families in the enterprise

Microsoft said adware, potentially unwanted software and Trojans were the most commonly detected malware categories in both 2010 and 2011. Leading Microsoft’s top 10 malware families list for the enterprise is the largely neutralized Conficker worm, making up 13.5% of Microsoft’s malware detections. It is followed by the Win32/Autorun worm, which spreads via mapped drives on an infected computer. The worm can be detected by standard antivirus, but Microsoft has also issued updates to address Windows AutoRun security when USB sticks and other removable media are connected to a machine. AutoRun is followed by Black Hole and Win32/Keygen, software that is used to generate keys for pirated versions of Windows and other applications.

HTML and JavaScript, the most common website scripting languages, have been favorite attack vectors for cybercriminals. A prevalent type of attack continues to involve malicious IFrames, an attack technique associated with adware. Despite anti-cross-site scripting (XSS) features added to browsers, attackers are finding success in targeting Java weaknesses to lure users into downloading malware.   A recent annual threat report from IBM’s X-Force threat research team supports the Microsoft data. It found attackers are targeting browser components with automated toolkits rather than targeting the browser, despite an increase in browser flaws.

These attacks are successful because enterprises are rampant with weak passwords and unpatched vulnerabilities, said Tim Rains, director of product management in Microsoft’s Trustworthy Computing group. Employees are also easily susceptible to social engineering techniques, he said. The focus on advanced persistent threats (APT) or targeted attacks is not helpful for enterprise CISOs, because most people will be targeted with broad-based automated attacks, Rains said.

“We don’t think the tactics are more advanced or any more sophisticated than the automated attacks we’ve seen for some time now,” Rains said. 

Fewer vulnerabilities disclosed

Vulnerability disclosures across the industry in 2011 were down 11.8% from 2010, Microsoft said. High-severity vulnerabilities decreased 31% from the first half of 2011, continuing a near-constant rate of decline since the first half of 2010, according to Microsoft. The software giant bases its figures on vulnerability severity, using ratings from the Common Vulnerability Scoring System (CVSS).

Microsoft’s Rains said the overall decrease in vulnerability disclosures can be attributed to a variety of factors. Businesses have been improving their software development processes to include security, he said. Bug hunters are also figuring out new ways to monetize their research, leading some to believe that critical vulnerabilities are going unreported.

“We’re trying to change the conversation from finding vulnerabilities to ways we can develop new classes of mitigation and defenses, so even if vulnerabilities exist, attackers can’t reach them,” he said. 

In a recent interview with SearchSecurity.com, Katie Moussouris, senior security strategist lead for the Microsoft Security Response Center, described how vulnerability disclosure is changing. Moussouris, who works directly with security researchers who find vulnerabilities, said vendors have gotten more responsive and researcher cooperation has increased. Moussouris estimates that 80% of vulnerabilities are privately disclosed to Microsoft as opposed to them surfacing as zero-days.

“There’s a lot to be learned from the research community, both inside and outside Microsoft,” she said. “Part of that is looking for exploitable issues so we enjoy a cooperative relationship with the research community.” 

Application vulnerabilities make up the bulk of the vulnerability disclosures, accounting for 71% of all vulnerability disclosures in the second half of 2011. Both application and Web browser vulnerability disclosures increased in that period. Meanwhile, operating system flaw disclosures decreased by more than 34% in the second half of 2011. OS flaw disclosures ranked below browser vulnerability disclosures for the first time since at least 2003, Microsoft said.

Microsoft also is producing fewer security updates. In 2011, the Microsoft Security Response Center released 100 security bulletins, addressing 236 individual CVE–identified vulnerabilities, decreases of 7% and 6%, respectively, from 2010.