Vulnerable programs are among the most commonplace ways to attack victims and steal personal data. Exploits, pieces of malicious code that utilize vulnerabilities in popular software to infect the system, are used in malware designed to steal consumers’ personal data, but they are also the philosopher’s stone of cybercrime wizardry in terms of targeted attacks or cyber warfare. All known cyber weapons, such as Stuxnet and Duqu, used exploits to sneak into heavily guarded IT infrastructures for the purposes of sabotage and cyber espionage.
The main goal of Kaspersky Lab’s team of security experts and analysts is to identify and block all new cyber threats, including exploits. Apart from the traditional methods of detecting and blocking particular malware samples based on their signatures, new, smart techniques are used to block even previously unknown exploits or those that utilize newly discovered, or “zero-day”, software vulnerabilities. Automatic Exploit Prevention is a prominent example of this innovative technology. It detects and blocks exploits based on their behavior, before they can harm our customers. To develop these kinds of technologies, we need to really understand what our customers need: which programs they use and how they deal with vulnerable software.
We compile this data using the cloud-based Kaspersky Security Network: in exchange for this invaluable information our customers benefit from this network by receiving the most up-to-date news on the latest threats in almost real-time mode. Before coming to Kaspersky Lab’s servers, the information about local security incidents and usage data is cleaned from all personal information, maintaining strict anonymity.
This report is based on information about vulnerable programs found on the computers of our customers. The vulnerability scan is one of the standard features of Kaspersky Lab products like Kaspersky Internet Security 2013: it helps users to identify and upgrade critically vulnerable software. The purpose of this research is to understand how users react to vulnerable programs and analyze the potential dangers of vulnerable software.
In the 52-week period we detected a total of 806 unique vulnerabilities on our customers’ PCs. The oldest of them was first identified in February 2003; the most recent was in December 2012.
The share of vulnerabilities by year of discovery, all vulnerabilities
The best strategy to avoid potential security risks related to vulnerable software is to keep all your programs up to date (although this alone is not enough). The age of these vulnerabilities shows that users are failing to do this, except in those few cases where a vendor has been reluctant to issue an update. Sometimes, of course, everyone forgets about a rarely used program, or turns off irritating notifications. Analysis of the discovery dates for all vulnerabilities paints a grim picture: almost two-thirds (64%) of discovered software flaws are found in programs which are more or less obsolete (released in 2010 and earlier). But in order to get a clear picture, we need to take the “popularity” of certain vulnerable programs into account. To do this we counted only those vulnerabilities that were found on at least 10% of computers at some point during the year.
The top vulnerabilities by year of discovery
And here you can really see the difference. Only 37 vulnerabilities were sufficiently widespread to pass our artificial filter. The breakdown by age is also rather different: the overwhelming majority of popular vulnerabilities were discovered in 2011 and 2012, and only three vulnerable programs originate from 2010 or earlier (among the most notable being the vulnerability found in Microsoft Office 2007).
But one should keep in mind that hundreds of rare vulnerabilities could still potentially be used in targeted attacks on businesses.
The top 37 vulnerabilities are found in 10 different product families. The most vulnerable products are Adobe Shockwave/Flash Player, Apple iTunes/QuickTime and Oracle Java. Between them, they account for 28 vulnerabilities among those found on 10% or more of users’ PCs during 2012.
One of the most important characteristics of a vulnerability is its severity. In Kaspersky Lab’s vulnerability database the lowest severity is 1 (not critical) and the highest is 5 (extremely critical). Vulnerabilities with severity level 5 are considered to be the most dangerous, as they theoretically can be easily exploited and are most likely to lead to the loss of sensitive data. Based on the severity level for each of the 37 top vulnerabilities, we can calculate their average threat level at 3.7, somewhere between moderately and highly critical.
In this section we analyze eight vulnerabilities, selected from 37 software security flaws that are actively used by cybercriminals in widespread exploit packs. Although most of the more commonplace vulnerabilities are found in Adobe products, the most frequently exploited loopholes are actually in Oracle Java.
Java is an obvious “leader” in terms of discovered vulnerabilities, and 2012 was a very tough year for Oracle. We recorded five major vulnerabilities in this software, with the earliest one discovered in October 2011 and the most recent one in October 2012. The evolution of Java vulnerabilities and their prevalence is displayed in this chart:
In a vulnerability scan, only one potential weak spot is recorded for each program, even though it might be prone to several security vulnerabilities. However, in the case of Oracle Java, all five of these vulnerabilities were actively exploited by cybercriminals. This means we have to consider all of them to assess how many users are affected. As we can see, at any given time in 2012 there were a large number of users at risk from Java vulnerabilities. At the lowest point, in February, more than one in three (34.5%) were affected; the high water mark came in October when a combination of three vulnerabilities affected 61.1% of users.
We can also see that users are extremely reluctant to switch to the updated software, even when this will fix dangerous security issues. In one particular case with multiple Java vulnerabilities discovered in February 2012, the highest recorded share of affected users was 52.4% at the end of February 2012. The update for Java versions 6 and 7 was released on 14 February. 16 weeks (or four months!) later, it dropped to only 37.3% - still a substantial figure. During this period another update of Java was released (26 April) with non-security fixes, and at the end of it (12 June) one more update came up, fixing newly discovered security flaws. In other words, users had approximately four months to switch to the new version (secure at that time), but it took an astonishingly long time for them to react.
We carried our further analysis into the actual use of Java software in the period between two updates. On 30 August, Oracle launched Java SE 7 Update 7 and Java SE 6 Update 35. 16 October saw the arrival of Java SE 7 Update 9 and SE 6 Update 37. All these updates covered serious vulnerabilities. Using an alternative source of data from our users, a source which looks at the actual software in use, we discovered 41 different major versions of Java 6 and 7 being used. The vulnerability addressed in the 30 August Update (details can be found here at the Oracle website) also affects all prior versions of Java. Therefore, we combined the share of all previous (Affected) versions and compared them with the two newly updated (Fixed) versions. The results can be observed in this chart:
Knowing the high impact of Java vulnerabilities, we used a further method to analyze how fast users switch to the newer version of this software, when faced with an actively exploited vulnerability in the previous one. In this case users had seven weeks to update the secure (at that time) version of Java 6 or 7, but less than 30% of users actually managed to do that, before a newer version (fixing yet another set of multiple vulnerabilities) was released. In a previous report on web browser usage, we used similar data to calculate the upgrade speed for Google Chrome, Firefox and Opera. In all three cases 30% or more of users switched to the newer version within a week after the initial release. Clearly, we can describe the update process for Oracle Java as very slow.
Based on the number of frequently discovered vulnerabilities in 2012, Adobe Flash Player surpasses Java – we detected 11 (!) widespread vulnerabilities during this period (another five came on Shockwave Player, a different type of software). Fortunately, only two of them were in fact exploited by cybercriminals (compared to five for Java). First, we would like to highlight one particular Flash vulnerability that stands out from the crowd.
Unlike other Adobe Flash Player vulnerabilities that we will analyze later, this one was discovered and fixed more than two years ago. But as we can see, users who have this particular version were not informed about the update or have been reluctant to respond to automatic update notifications. The obsolete and vulnerable Adobe Flash Player was installed on 10.2% of computers on average – an astonishing amount of machines, considering the fact that an exploit was confirmed to exist for this vulnerability, but was not actively used. It seems possible that this vulnerability will only disappear when all computers currently running obsolete software are replaced with new ones.
The picture among the other 10 Flash vulnerabilities is more complex. Again, the vulnerability scan only uncovers one vulnerability per program, which is why this chart shows newer vulnerabilities overlapping some vulnerabilities and replacing others. Even though only two vulnerabilities out of the displayed 10 are actually exploited (the ones discovered in May and August 2012), the chart also shows that there is little sign of the level of vulnerabilities falling away: users are very slow to switch to the newer versions of software, regardless of how dangerous the discovered vulnerabilities might be. In future reports we will focus on actual usage statistics for Adobe Flash Player, to define the exact speed of upgrades from version to version.
The only Adobe Reader vulnerability that was popular and actively exploited at this time was discovered in early December 2011, and was found on an average of 13.5% user computers in 2012. Although it was patched immediately, that number did not change much, peaking at 16.8% in January 2012. As with the other programs analyzed, there is little evidence of any decrease in this vulnerability. Once again, it suggests that users are reluctant to update their software – probably because of an inefficient automatic update system.
This research allowed us to look at the threat level of software vulnerabilities from a unique point of view: showing software security flaws as a time bomb waiting to be detonated by a cybercriminal. Our information comes from our users, who are protected by our products and are therefore less likely to fall victim to an exploit. Even allowing for this, though, the picture is not pretty.
Even when a software vendor does its best to recognize a security flaw and releases an update in a timely manner, this means nothing for a significant proportion of users. A known, dangerous and exploitable security hole remains open on millions of PCs months after it was discovered and an update was provided. There are examples of software vulnerabilities that last for years after being discovered and fixed.
We can’t really blame users for that: they are not, and shouldn’t have to be, security experts. What is needed is a more streamlined and automated update process for all installed software and better security practices from vendors in general. What users have to understand is that the freedom to install any version of any program of their choice requires certain precautions – and the starting point is proper protection from modern threats, including the tools to detect and update vulnerable software.
2013 Feb 06, 10:16
fichier suspet sur mon google chromo mon pc
http://www.delta-search.com/?affID=119776 tt=030213_de babsrc=HP_ss mntrId=c8dce80b0000000000004061864c1d 3d