Skip to main content
Skip to main content

Exploit Activity at Highest Levels in Recent Times: The Importance of Keeping All Software Up To Date

  • Tim Rains

Earlier this year we published a special edition Security Intelligence Report that looked at some of the ways the threat landscape has evolved over the past ten years.  The report included a view into how attackers have shifted their tactics over the past decade.  I discussed the data in this report in depth, in a series of articles that Jeff Jones and I wrote, looking back at how things have changed (part 1, 2, 3, 4, 5, 6).

Figure 1: Threat categories since 2006

As I look at the current state of the global threat landscape, I’m struck by a new evolution, the amount of exploit activity that has occurred over the past year.  According to data we recently published in the Microsoft Security Intelligence Report volume 13 (SIRv13), there has been a measurable increase in exploit activity since the first quarter of 2011 (1Q11) as seen in Figures 2 and 3.  Figure 2 indicates that the number of exploit detections blocked by Microsoft antimalware software increased comparatively from below 10% in 1Q11 to over 15% in the first quarter of 2012 (1Q12).   

Figure 2: Detections by threat category, 1Q11–2Q12, by percentage of all computers reporting detections

Although this increase isn’t as dramatic as some of the other threat categories during this period, exploits have been relatively low volume compared to other threat categories for quite some time.  A more typical level for exploits is between 4% and 7%.  This increase in exploit activity is also evident in Figure 3, illustrating the number of unique computers with exploit detections.  The increased exploit activity has been driven by increases in four types of exploits starting in 2Q11, including HTML/JavaScript, Oracle Java, document parser exploits, and operating system exploits. The largest increases in exploit activity have been in HTML/JavaScript and Oracle Java exploits.

Figure 3: Unique computers reporting different types of exploits, 1Q11–2Q12

As I wrote about previously in November 2011 (Millions of Java Exploit Attempts: The Importance of Keeping All Software Up To Date), vulnerabilities in Java continue to be a popular attack vector.  Many of the exploit attempts reflected in the HTML/JavaScript data are malicious scripts designed to exploit vulnerabilities in Oracle Java and Adobe Reader, among vulnerabilities in other software including Microsoft Windows. Figure 4 contains the top exploit families detected over the past year.

Figure 4: Top exploit families detected by Microsoft antimalware products in the second half of 2011 and first half of 2012, by number of unique computers with detections, shaded according to relative prevalence 

Recent reports on at least one security vendor’s data seem to confirm that exploit activity focusing on Oracle Java has risen:

In years past it was rare to see an exploit in the top ten list of threats for a country/region.  In the second quarter of 2012, at least one exploit was in the top ten list of threats for 51 locations of the 105 countries/regions (49%) reported on in SIRv13.  Many locations had multiple exploits on their top ten list of threats including regions whose lists typically contain less severe threats such as Austria, Canada, Finland, and Germany.  If this trend continues, I would expect exploits to appear in the top ten lists of threats for more locations around the world. This makes it more important than ever to keep all software installed on a system up-to-date, regardless of what operating system is running.

The call to action includes:

  • If you haven’t updated Java in your environment recently, you should evaluate the current risks.
  • It is important to realize that multiple versions of Java may be installed on one system.  Upon deciding which version(s) to keep, be sure to explicitly remove all other versions deemed unnecessary.
  • Keep all software in your environment up-to-date, not just Windows; assume attackers are targeting vulnerabilities in all prevalent software.
  • Run antimalware software from a trusted vendor and keep it up-to-date as antimalware software can be helpful in mitigating this type of attack.
  • Don’t get phished – avoid clicking on links and opening attachments, like .pdf files, received via email.

Tim Rains
Trustworthy Computing