2012: “The Year of the Vulnerability”

 Author: Kyle Cooper, kylec@gladtech.net

In Verizon’s 2012 Data Breach Report published last month, they dubbed 2011 “The Year of The Hackivist” due to the large amount of chaos caused by hacker activist groups like Anonymous and LulzSec. Though we’re only four months into the current year, another trend has already begun to take shape. It looks like 2012 could be “The Year of the Vulnerability.”  Let’s take a look at why.

To start the New Year right, Microsoft released an update for a critical .NET vulnerability (MS11-100) on Dec. 29^th 2011. This vulnerability was considered so crucial that its patch was released “out-of-band,” or weeks ahead of the next scheduled Patch Tuesday, in order to mitigate the threats it posed. There were rumors that the Microsoft Security Team sacrificed their Christmas’s in order to plug the hole as soon as possible. Unfortunately, that out-of-band patch set the stage for the upcoming year.

March brought a patch that piqued the interest of many hackers and researchers alike. MS12-020 was released with a rare “PATCH IMMEDIATELY” severity level. This patch remediates a vulnerability that resides in Microsoft’s extremely popular Remote Desktop Protocol (RDP) service. What makes this vulnerability so dangerous is that RDP is typically implemented to be accessible from outside of an organization’s network, giving hackers at large an easy service to exploit and use to pivot into the targeted system.

But Microsoft isn’t the only vendor with vulnerability problems. Adobe has released five patches in the last eight weeks alone, three of them for its widely-used Flash Player application. Third party applications present a cross-platform target which is operating system independent. Reading a PDF requires Adobe Reader. Watching a video on Youtube requires Adobe Flash Player. Java is needed for running both Java Web Applets as well as numerous desktop applications. Third party applications are a part of everyday life in the workplace and at home, and their tremendous install base makes them very popular targets for vulnerability exploitation.

Apple’s Macintosh OS, long lauded as superior to Windows in terms of security, is just as vulnerable as other operating systems when running the same third party applications; a fact that Mac users all over the world learned the hard way when a mass infection explicitly targeting them was discovered weeks ago. A recent Java vulnerability was responsible for back to back malware outbreaks affecting Mac users. The Flashback and SubPub Trojans were estimated to have infected 600,000 Macintosh computers within the past month, or approximately 1% of the entire Mac user base.

In light of the above examples, it’s important to emphasize how an aggressive patching program can mitigate the threats posed by vulnerabilities. Most vendors fix vulnerabilities before they are detected being used maliciously in the wild. In fact, last year Microsoft’s Security Intelligence Report found that 0.0% of attacks (a number too small to measure) were executed using unpatched vulnerabilities.  Poor patch management is also the root cause for the recent Macintosh outbreak. Patches for the Java vulnerably responsible were accessible and had been pushed to Windows and Linux machines, but Apple had not yet made them available to their users.

So what can you do to protect yourself?  Identifying and controlling the operating systems and third party applications in your environment is a good first step towards developing a strong patch management infrastructure. Likewise, staying on top of the current vulnerability landscape can help prioritize patching procedures. New vulnerabilities will continue to be discovered, but it’s possible to minimize their destructive potential with good patching processes and policies.