A new report sorted through the most popular exploit kits being used by malicious actors to find many of the same...
programs and vulnerabilities being targeted.
Digital Shadows studied 22 exploit kits in "In the Business of Exploitation" and found a total of just 76 vulnerabilities being targeted. The most frequently exploited software shouldn't be much of a surprise to security administrators; 27 of the 76 vulnerabilities used in exploit kits targeted the Adobe Flash Player. Oracle's Java and Internet Explorer were the second and third most targeted programs and when added to Flash, those three pieces of software accounted for 62 of the 76 vulnerabilities found in all exploit kits.
Many cybersecurity experts have called for the death of the Flash Player in order to save enterprises from the risk of exploits, but Michael Marriott, research analyst at Digital Shadows, said finding alternative solutions might not always be easier than patching the vulnerable software.
"The frequency of exploit kits targeting vulnerabilities in these programs is certainly a point of concern for organizations, and the response will differ depending on the organization," Marriott told SearchSecurity. "There can be a trade-off between operational security and an organization's day-to-day activities. Finding this balance is important; for some organizations it will make sense to consider different software, for others the priority will be to patch these vulnerabilities in a timely manner. While patching can cause friction for organizations, so too would overhauling the software they use."
The report showed Internet Explorer took the ignominious title for having the most exploit kits using the same vulnerability with 11 of the kits targeting a vulnerability disclosed in 2013 that affects IE 6 through IE 10. Digital Shadows suggested the flaw, CVE-2013-2551, is found in so many kits because a proof-of-concept exploit was released soon after disclosure.
Marriott said organizations shouldn't assume they are safe from Internet Explorer issues even if it isn't the default on company systems.
"Simply because an organization has a different browser as the default does not entirely remove the risk from Internet Explorer vulnerabilities," Marriott said. "This is because most organizations seldom remove IE from their computers entirely so there always remains the risk that an employee, maybe used to using IE at home, accesses it while in the office."
Five of the 22 exploit kits featured an Adobe Reader vulnerability first disclosed in 2010, but despite older vulnerabilities being in the mix, Marriott said the five most popular -- Angler, Neutrino, Nuclear, Magnitude and RIG -- set themselves apart because of how quickly the developers add newly discovered exploits.
"The popularity and success of a given exploit kit depends significantly on how quickly they can exploit the newest vulnerabilities," Marriott said. "Therefore, while older flaws cannot be ignored, the most popular exploit kits are using newer vulnerabilities and this should factor into an organization's patching processes. Organizations can identify the most popular exploit kits and understand the specific threat, based on the vulnerabilities it exploits and the delivery methods. Intelligence and context is key so help the IT team prioritize the threat."
Learn more about Angler bypassing Microsoft EMET to exploit Silverlight and Flash.
Get info on how a Flash Player zero day highlighted the threat of exploit kits.