Earlier this year we published a special edition Security Intelligence Report that looked at some of the ways the threat landscape has evolved over the past ten years. The report included a view into how attackers have shifted their tactics over the past decade. I discussed the data in this report in depth, in a series of articles that Jeff Jones and I wrote, looking back at how things have changed (part 1, 2, 3, 4, 5, 6).
Figure 1: Threat categories since 2006
As I look at the current state of the global threat landscape, I’m struck by a new evolution, the amount of exploit activity that has occurred over the past year. According to data we recently published in the Microsoft Security Intelligence Report volume 13 (SIRv13), there has been a measurable increase in exploit activity since the first quarter of 2011 (1Q11) as seen in Figures 2 and 3. Figure 2 indicates that the number of exploit detections blocked by Microsoft antimalware software increased comparatively from below 10% in 1Q11 to over 15% in the first quarter of 2012 (1Q12).
Figure 2: Detections by threat category, 1Q11–2Q12, by percentage of all computers reporting detections
Figure 3: Unique computers reporting different types of exploits, 1Q11–2Q12
Figure 4: Top exploit families detected by Microsoft antimalware products in the second half of 2011 and first half of 2012, by number of unique computers with detections, shaded according to relative prevalence
Recent reports on at least one security vendor’s data seem to confirm that exploit activity focusing on Oracle Java has risen:
In years past it was rare to see an exploit in the top ten list of threats for a country/region. In the second quarter of 2012, at least one exploit was in the top ten list of threats for 51 locations of the 105 countries/regions (49%) reported on in SIRv13. Many locations had multiple exploits on their top ten list of threats including regions whose lists typically contain less severe threats such as Austria, Canada, Finland, and Germany. If this trend continues, I would expect exploits to appear in the top ten lists of threats for more locations around the world. This makes it more important than ever to keep all software installed on a system up-to-date, regardless of what operating system is running.
The call to action includes:
- If you haven’t updated Java in your environment recently, you should evaluate the current risks.
- It is important to realize that multiple versions of Java may be installed on one system. Upon deciding which version(s) to keep, be sure to explicitly remove all other versions deemed unnecessary.
- Keep all software in your environment up-to-date, not just Windows; assume attackers are targeting vulnerabilities in all prevalent software.
- Run antimalware software from a trusted vendor and keep it up-to-date as antimalware software can be helpful in mitigating this type of attack.
- Don’t get phished – avoid clicking on links and opening attachments, like .pdf files, received via email.