News Stay informed about the latest enterprise technology news and product updates.

Application vulnerability disclosures rise, Microsoft finds

The Black Hole attack toolkit is fueling many of the exploits targeting the vulnerabilities, according to Microsoft.

Application vulnerabilities are on the rise in 2012 after a steady decline over the past few years and an automated attack toolkit is behind many of the exploits targeting the coding errors, according to the latest threat report issued by Microsoft.  

Ensure that all of the software in your environment is up to date and that security updates from all relevant vendors are installed quickly after they are published.


The Microsoft Security Intelligence Report: Volume 13 provides analysis of the first half of 2012, from January to June, and marks changes in a wide range of security topics including vulnerabilities, exploits and email spam. Microsoft said it bases its analysis on data collected from more than 600 million computers that have its antimalware software and update mechanisms deployed. Analysis of application vulnerability disclosure is based on data provided by the compiled from vulnerability disclosure data from the National Vulnerability Database.

During the second half of 2011, there were fewer than 1,200 application vulnerabilities. That number jumped to about 1,400 in the first half of 2012. Application vulnerabilities account for over 70% of all flaw disclosures for the period, with browser vulnerabilities and operating system vulnerabilities registering with numbers between 200 and 400 cases.

Vulnerability disclosures increased 11.3% in the first half of 2012 from the second half of 2011. It was up nearly 5% from the first half of 2011, due largely to the increase in application vulnerability disclosures, Microsoft said.

"It is a software development problem that application vulnerabilities exist," said Wolfgang Kandek, CTO at Redwood City, Calif.-based Qualys Inc. Kandek said developers are concerned with an application's functionality "and [are] less focused on making sure it is done in a secure manner."

Further adding to application flaws are the faster release cycles for software updates. Security departments are having trouble adapting to these faster releases, Kandek said. Many IT organizations fully test patches before deploying them to ensure that customized applications aren't broken as a result of the fix.

In spite of a decline from the first quarter of 2012, HTML and JavaScript exploits continued to be the favorite attack technique. Microsoft said it detected  the exploits used on about 3.5 million unique computers. Java saw its number increase, maintaining the second position for most popular exploits. The increase for Java exploits was driven by issues with CVE-2012-0507 and CVE-2011-3544, Java Runtime Environment errors that were publicly disclosed. Documents and operating system exploits were the third and fourth most prominent.

Black Hole attack toolkit fueling most exploits

The Black Hole Exploit Kit was the most commonly used and the driving force behind many of the problems in HTML/JavaScript and Java exploitation. Microsoft cited the easy availability of Black Hole on hacker forums and other outlets as one reason for its ubiquity. 

"For better protection, ensure that all of the software in your environment is up to date and that security updates from all relevant vendors are installed quickly after they are published," Microsoft said in its report.

Kandek added that the kits are easy to use, even for non-technical people, and are up to date on the latest vulnerabilities. The cybercriminals behind the kit announced revisions to Black Hole last month, adding automated capabilities that could make it more powerful, say security researchers.

"When you buy it, it works," Kandek said. "[Kit makers] are at the cutting edge of technology."

Microsoft offered possible action steps for security teams.

"IT departments can increase their level of protection against [Black Hole] exploits by using intrusion detection and prevention systems (IDS/IPS) to monitor for and block exploitation of the vulnerabilities targeted by the kit," read the report.

Email, Spam levels remain steady

The report also noted that email spam stayed around the same rate in the first half of 2012 as in the second half of 2011. The number of spam messages blocked has declined by hundreds of billions of instances between the second half of 2010 and the first half of 2011.

"The dramatic decline in spam observed over the past year and a half has occurred in the wake of successful takedowns of a number of large spam-sending botnets, notably Cutwail (August 2010) and Rustock (March 2011)," the report read.

Drive-by downloads

Drive-by download sites were addressed in the report as well. Microsoft defined a drive by download site as "a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons."

Microsoft said the sites are particularly dangerous because users can potentially become infected with malware just by visiting a website containing the hidden exploits. Numbers collected by the Microsoft search engine Bing, which analyzes websites for exploits as they are indexed, show that Malaysia had the highest concentration of these sites at the end of the second quarter of 2012 with 5.7 drive-by URLs for every 1,000 URLs tracked. Ukraine was second with 5.1, Germany had 3.9, and Korea had 3.1.

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.