Software vulnerabilities are one of those problems that potentially affect all users. A vulnerability is a fault in a program’s implementation that can be used by attackers to gain unauthorized access to data, inject malicious code or put a system out of operation. In most cases, vulnerabilities arise from a lack of attention to fine details at the design stage rather than programming errors. Sometimes a system can seem virtually invulnerable at the design stage, but then, at some point, a new technology arises and hackers prove that the system can be successfully attacked. A notable example is DES – a symmetric-key encryption algorithm developed in 1975, which was considered bulletproof at the time. However, in 1990 it was successfully broken in 39 days using an enormous computer network. A supercomputer built in 1998 succeeded in breaking DES in less than three days.
Continually testing popular software to identify vulnerabilities and releasing patches to close any vulnerabilities found is part of a program’s normal lifecycle. The more sophisticated and popular the program the higher the chances of vulnerabilities being found in it.
Searching for vulnerabilities
Most developers try to close any vulnerabilities found in their products in a timely manner. They analyze their software independently or with the help of external experts. However, third-party researchers also hunt for vulnerabilities. Some do this to improve the overall level of security online. Others are paid to search for vulnerabilities. Still others prefer to sell information on any vulnerabilities they discover on the black market.
They can do this because information on new vulnerabilities is valuable for cybercriminals. If a researcher finds a flaw in a system and proves that it can be exploited in practice (that is, if he writes an exploit), he can make tens of thousands of dollars on the black market. There is an entire sector of the cybercriminal underworld that specializes in finding and selling vulnerabilities.
Luckily, this business does not operate on a mass scale. One reason for this is that not all vulnerabilities can be exploited in the real world. A combination of different conditions is often needed to be able to do real harm and the chances of these combinations arising are not very high. A second reason is that it takes a highly skilled programmer to write an effective exploit, and there are not many of them around.
One more option for making money on vulnerabilities is to sell them to third-party companies that, at first glance, seem to have nothing to do with crime. This is what some researchers do. However, these companies may be involved in creating spyware for governments or special services, so the vulnerabilities will still be used to illegitimately manipulate information systems. Moreover, it turns out that the security of such companies is not always as good as it ought to be, so occasionally external parties are able to gain access to their knowledge, with dire consequences.
Idealists, who search for vulnerabilities for the sake of universal security, face a dilemma. On the one hand, the later they publicly announce their discovery, the more time the developers have to fix the problem. On the other, the earlier they publish the information the sooner users will learn about the danger posed by the vulnerability. In theory, cybercriminals might also discover the vulnerability and immediately take advantage of it. It should also be kept in mind that disclosing the information will inevitably result in attempts to abuse the newly discovered vulnerability. Sometimes, attacks can start within an hour of making information about a vulnerability public. This is what happened, for example, after the Shellshock disclosure.
What are the dangers of vulnerabilities?
An exploit is a program or code fragment that uses vulnerabilities to attack a computing system. In some cases, an exploit is used on a mass scale – that is, cybercriminals try to use it to attack a broad range of systems. In such cases, vulnerabilities in popular software (such as the Adobe Flash Player) are exploited to deliver payloads to user machines. This is commonly done via so-called drive-by attacks that attempt to download malicious code to the computers of all users visiting an infected website.
Sometimes cybercriminals develop targeted attacks. They analyze the software used by a particular company and write targeted exploits for those specific programs. One such highly tailored attack was carried out as part of the Duqu 2.0 APT.
The ‘useful’ life of exploits can vary. Some are used for years, even though developers release patches that close the relevant vulnerabilities. This is because some users are in no hurry to install those patches.
According to Kaspersky Lab data, today cybercriminals extensively use exploits for the vulnerabilities listed below:
|Adobe Flash Player||CVE-2015-0310|
|Microsoft Internet Explorer||CVE-2014-6332|
It is easy to see from CVE identifiers that most of these vulnerabilities were discovered this year, but there are also some that date back to 2014 and even 2012. The fact that these vulnerabilities are still being exploited means that many users have not bothered to update the relevant software.
Defending against exploits
The main recommendations are really quite simple: remember to update your software regularly and do not use outdated software. The latter piece of advice can be hard to follow: it is sometimes difficult to find a new alternative to a familiar and convenient program that is outdated. While developers do not track vulnerabilities in obsolete software or release patches for them, cybercriminals continue to watch for an opportunity to exploit. The upshot is that you need additional protection to continue using such software.
There are dedicated tools designed to scan computers for known vulnerabilities and, if detected, automatically install updates. These tools include, for example, Kaspersky Systems Management components Vulnerability Assessment and Patch Management. Kaspersky Lab is also developing a similar solution for home users called Kaspersky Software Updater. The utility is currently in beta testing.
Kaspersky Lab uses a vulnerability naming system that is different from the codes used in the CVE (Common Vulnerabilities and Exposures) system. While an identifier in CVE always corresponds to one vulnerability, a code in our system can match a group of vulnerabilities (in most cases, vulnerabilities closed with one patch or vulnerabilities in one version of a program) – sometimes dozens of vulnerabilities are covered by one code (depending on the patches released by software vendors). As a result, the 20 KLA vulnerabilities listed below actually match 375 CVE vulnerabilities.
According to Kaspersky Security Network statistics, vulnerability scanning most often identifies the following sets of vulnerabilities on our users’ machines:
|KLA||Number of users||Date of discovery||Description|
|1||KLA10680||308219||2015-10-14||Code execution vulnerability in Adobe Flash Player|
|2||KLA10036||256383||2014-07-08||Multiple vulnerabilities in Adobe Flash and Adobe AIR|
|3||KLA10492||228454||2013-10-16||Multiple vulnerabilities in Oracle products|
|4||KLA10670||182972||2015-09-21||Multiple vulnerabilities in Adobe products|
|5||KLA10650||176435||2015-08-11||Multiple vulnerabilities in Adobe products|
|6||KLA10653||150987||2015-05-18||Code execution vulnerability in QuickTime|
|7||KLA10682||150960||2015-10-13||Multiple vulnerabilities in Adobe Acrobat and Reader|
|8||KLA10628||138039||2015-07-14||Multiple vulnerabilities in Adobe Acrobat|
|9||KLA10651||135291||2015-08-17||Code injection vulnerability in VLC Media Player|
|10||KLA10655||134824||2015-09-01||Multiple vulnerabilities in Google Chrome|
|11||KLA10672||108722||2015-09-22||Multiple vulnerabilities in Mozilla Firefox|
|12||KLA10654||107661||2015-08-27||Multiple vulnerabilities in Mozilla Firefox|
|13||KLA10691||103880||2015-11-10||Multiple vulnerabilities in Google Chrome|
|14||KLA10344||100311||2009-11-05||Multiple vulnerabilities in Sun Java SE|
|15||KLA10669||92345||2015-09-16||Multiple vulnerabilities in Apple iTunes|
|16||KLA10684||91013||2015-10-22||Code execution vulnerability in Flash plugin for Google Chrome|
|17||KLA10663||87898||2015-09-08||Code execution vulnerability in Adobe Shockwave Player|
|18||KLA10690||87478||2015-11-10||Multiple vulnerabilities in Adobe products|
|19||KLA10569||86657||2015-04-28||Vulnerability in OpenOffice|
|20||KLA10671||84380||2015-09-21||Flash Player update for Google Chrome|
Vulnerability sets KLA10680 and KLA10650 are particularly notable. The former includes, among others, CVE-2015-7645, the latter — CVE-2015-5560. These vulnerabilities are also present in the first table above, which lists the most commonly exploited software flaws.
Naturally, security products also include technologies designed to block attempts to exploit vulnerabilities. They closely track application behavior (particularly that of applications known to be prone to vulnerabilities), identify and block suspicious activity.
How is the security industry doing?
Vulnerabilities can be found in security solutions, just like in any other software products. The only difference is that security vendors have a much greater responsibility, because security software is essentially the last line of defense. That is why Internet security companies are especially careful and thorough when it comes to checking products for vulnerabilities.
We cannot speak for the industry as a whole, so we are going to use the only example we are familiar with – that is, our own. We keep the security of our products in mind at all stages of development, from defining the attack surface at the design stage to special testing procedures aimed at identifying possible vulnerabilities in products that are nearly ready to be released. In the process of development, R&D staff not only create the necessary product functionality but also make certain that the new features cannot be used to compromise the program’s integrity.
We believe that this approach is more effective than a dedicated team responsible for tracking vulnerabilities in all of the company’s products. Which is not to say that we do not have such a team. A group of security architects regularly checks newly developed code for vulnerabilities using fuzz testing (so-called fuzzing) and penetration testing.
Fuzzing essentially means checking a program for unintended operations by inputting incorrect or random data. In other words, products are tested on abnormal or distorted data sets.
Penetration testing is carried out both internally and by external experts. It should be noted at this point, however, that in our experience, few external experts are sufficiently knowledgeable about the way security products work and can therefore effectively search for vulnerabilities. Additionally, Kaspersky Lab has a special team that specializes in searching third-party code for vulnerabilities (its services are used, among others, by banks seeking to verify the security of their applications). Even though third-party applications are the team’s top priority, these experts also analyze code developed in-house.
We also value the opinions of independent researchers. Any person who has found a vulnerability in our technologies can report it using a special communication channel that can be found here. Kaspersky Lab experts will thoroughly analyze all data coming via the channel. The procedure is as follows: first, our analysts confirm that there really is a vulnerability. After confirming this, we contact the independent researcher and agree on a time when this information will be made public. Meanwhile, the data is provided to the R&D team responsible for developing the technology; we also check whether the vulnerability is present in any other Kaspersky Lab products. It should be noted that sometimes independent researchers do draw our attention to serious issues. We really appreciate this!
A few practical recommendations
Since only software developers can significantly improve the situation, here are some recommendations:
- As we have said many times before, update your software. If the developer provides an update for its product, the chances are that it does so for a good reason.
- Do not disable automatic updates. True, this can be a bit of a nuisance if you have lots of programs, but security is what really counts.
- Remove the programs you no longer use. There is no reason for this dead weight to remain on your hard drive. One day such programs could do you a grave disservice.
- Do not use obsolete software. If it is really such a handy, useful program, there must be other similar programs available. True, it can be hard to abandon a familiar interface, but it is better to spend a few days getting used to a new one than using vulnerable software.
- Regularly scan your computer for known vulnerabilities using dedicated utilities.