Application vulnerabilities are on the rise in 2012 after a steady decline over the past few years and an automated attack toolkit is behind many of the exploits targeting the coding errors, according to the latest threat report issued by Microsoft.
Ensure that all of the software in your environment is up to date and that security updates from all relevant vendors are installed quickly after they are published.
The Microsoft Security Intelligence Report: Volume 13 provides analysis of the first half of 2012, from January to June, and marks changes in a wide range of security topics including vulnerabilities, exploits and email spam. Microsoft said it bases its analysis on data collected from more than 600 million computers that have its antimalware software and update mechanisms deployed. Analysis of application vulnerability disclosure is based on data provided by the compiled from vulnerability disclosure data from the National Vulnerability Database.
During the second half of 2011, there were fewer than 1,200 application vulnerabilities. That number jumped to about 1,400 in the first half of 2012. Application vulnerabilities account for over 70% of all flaw disclosures for the period, with browser vulnerabilities and operating system vulnerabilities registering with numbers between 200 and 400 cases.
Vulnerability disclosures increased 11.3% in the first half of 2012 from the second half of 2011. It was up nearly 5% from the first half of 2011, due largely to the increase in application vulnerability disclosures, Microsoft said.
"It is a software development problem that application vulnerabilities exist," said Wolfgang Kandek, CTO at Redwood City, Calif.-based Qualys Inc. Kandek said developers are concerned with an application's functionality "and [are] less focused on making sure it is done in a secure manner."
Further adding to application flaws are the faster release cycles for software updates. Security departments are having trouble adapting to these faster releases, Kandek said. Many IT organizations fully test patches before deploying them to ensure that customized applications aren't broken as a result of the fix.
Black Hole attack toolkit fueling most exploits
"For better protection, ensure that all of the software in your environment is up to date and that security updates from all relevant vendors are installed quickly after they are published," Microsoft said in its report.
Kandek added that the kits are easy to use, even for non-technical people, and are up to date on the latest vulnerabilities. The cybercriminals behind the kit announced revisions to Black Hole last month, adding automated capabilities that could make it more powerful, say security researchers.
"When you buy it, it works," Kandek said. "[Kit makers] are at the cutting edge of technology."
Microsoft offered possible action steps for security teams.
"IT departments can increase their level of protection against [Black Hole] exploits by using intrusion detection and prevention systems (IDS/IPS) to monitor for and block exploitation of the vulnerabilities targeted by the kit," read the report.
Email, Spam levels remain steady
The report also noted that email spam stayed around the same rate in the first half of 2012 as in the second half of 2011. The number of spam messages blocked has declined by hundreds of billions of instances between the second half of 2010 and the first half of 2011.
"The dramatic decline in spam observed over the past year and a half has occurred in the wake of successful takedowns of a number of large spam-sending botnets, notably Cutwail (August 2010) and Rustock (March 2011)," the report read.
Drive-by download sites were addressed in the report as well. Microsoft defined a drive by download site as "a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons."
Microsoft said the sites are particularly dangerous because users can potentially become infected with malware just by visiting a website containing the hidden exploits. Numbers collected by the Microsoft search engine Bing, which analyzes websites for exploits as they are indexed, show that Malaysia had the highest concentration of these sites at the end of the second quarter of 2012 with 5.7 drive-by URLs for every 1,000 URLs tracked. Ukraine was second with 5.1, Germany had 3.9, and Korea had 3.1.