http://www.sans.org/top-cyber-security-risks/summary.php
Priority One: Client-side software that remains unpatched.
Waves of targeted email attacks, often called spear phishing, are exploiting client-side
vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe
Flash and Microsoft Office. This is currently the primary initial infection vector used to
compromise computers that have Internet access. Those same client-side vulnerabilities are
exploited by attackers when users visit infected web sites. (See Priority Two below for how they
compromise the web sites). Because the visitors feel safe downloading documents from the
trusted sites, they are easily fooled into opening documents and music and video that exploit
client-side vulnerabilities. Some exploits do not even require the user to open documents. Simply
accessing an infected website is all that is needed to compromise the client software. The
victims' infected computers are then used to propagate the infection and compromise other
internal computers and sensitive servers incorrectly thought to be protected from unauthorized
access by external entities. In many cases, the ultimate goal of the attacker is to steal data from
the target organizations and also to install back doors through which the attackers can return for
further exploitation. On average, major organizations take at least twice as long to patch clientside vulnerabilities as they take to patch operating system vulnerabilities. In other words the
highest priority risk is getting less attention than the lower priority risk.
Apple: QuickTime and Six More
Apple has released patches for many vulnerabilities in QuickTime over the past year. QuickTime
vulnerabilities account for most of the attacks that are being launched against Apple software.
Note that QuickTime runs on both Mac and Windows Operating Systems. The following
vulnerabilities should be patched for any QuickTime installations: CVE-2009-0007, CVE-20090003, CVE-2009-0957
Application Patching is Much Slower than Operating System Patching
Qualys scanners collect anonymized data of detected vulnerabilities to capture the changing
dynamics in the vulnerability assessment field. The data documents changes such as the decline
of server side vulnerabilities and the corresponding rise of vulnerabilities on the client side, both
in operating system components and applications. A Top 30 ranking is used often to see if major
changes occur in the most frequent vulnerabilities found. Here is the ranking for the first half of
2009 TH edited to remove irrelevant data points such as 0-day vulnerabilities.
Description
1. WordPad and Office Text Converters Remote Code Execution Vulnerability (MS09-010)
2. Sun Java Multiple Vulnerabilities (244988 and others)
3. Sun Java Web Start Multiple Vulnerabilities May Allow Elevation of Privileges(238905)
4. Java Runtime Environment Virtual Machine May Allow Elevation of Privileges (238967)
5. Adobe Acrobat and Adobe Reader Buffer Overflow (APSA09-01)
6. Microsoft SMB Remote Code Execution Vulnerability (MS09-001)
7. Sun Java Runtime Environment GIF Images Buffer Overflow Vulnerability
8. Microsoft Excel Remote Code Execution Vulnerability (MS09-009)
9. Adobe Flash Player Update Available to Address Security Vulnerabilities (APSB09-01)
10. Sun Java JDK JRE Multiple Vulnerabilities (254569)
11. Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-067)
12. Microsoft Office PowerPoint Could Allow Remote Code Execution (MS09-017)
13. Microsoft XML Core Services Remote Code Execution Vulnerability (MS08-069)
14. Microsoft Visual Basic Runtime Extended Files Remote Code Execution Vulnerability
(MS08-070)
15. Microsoft Excel Multiple Remote Code Execution Vulnerabilities (MS08-074)
16. Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (MS09028)
17. Microsoft Word Multiple Remote Code Execution Vulnerabilities (MS08-072)
18. Adobe Flash Player Multiple Vulnerabilities (APSB07-20)
19. Adobe Flash Player Multiple Security Vulnerabilities (APSB08-20)
20. Third Party CAPICOM.DLL Remote Code Execution Vulnerability
21. Microsoft Windows Media Components Remote Code Execution Vulnerability (MS08076)
22. Adobe Flash Player Multiple Vulnerabilities (APSB07-12)
23. Microsoft Office Remote Code Execution Vulnerability (MS08-055)
24. Adobe Reader JavaScript Methods Memory Corruption Vulnerability (APSA09-02 and
APSB09-06)
25. Microsoft PowerPoint Could Allow Remote Code Execution (MS08-051)
26. Processing Font Vulnerability in JRE May Allow Elevation of Privileges(238666)
27. Microsoft Office Could Allow Remote Code Execution (MS08-016)
28. Adobe Acrobat/Reader "util.printf()" Buffer Overflow Vulnerability (APSB08-19)
29. Adobe Acrobat and Adobe Reader Multiple Vulnerabilities (APSB08-15)
30. Windows Schannel Security Package Could Allow Spoofing Vulnerability (MS09-007)
Table 1: Qualys Top 30 in H1 2009
Some of the vulnerabilities listed in the table get quickly addressed by IT administrators TH
vulnerabilities in the base operating system class, for example, show a significant drop in even
the first 15 days of their lifetime:
Real-Life HTTP Client-Side Exploitation Example
This section illustrates an example of a real life attack conducted against an organization that
resulted in loss of critical data for the organization.
In this attack, Acme Widgets Corporation suffered a major breach from attackers who were able
to compromise their entire internal network infrastructure using two of the most powerful and
common attack vectors today: Exploitation of client-side software and pass-the-hash attacks
against Windows machines.
Step 0: Attacker Places Content on Trusted Site
In Step 0, the attacker begins by placing content on a trusted third-party website, such as a social
networking, blogging, photo sharing, or video sharing website, or any other web server that hosts
content posted by public users. The attacker's content includes exploitation code for unpatched
client-side software.
Step 1: Client-Side Exploitation
In Step 1, a user on the internal Acme Widgets enterprise network surfs the Internet from a
Windows machine that is running an unpatched client-side program, such as a media player (e.g.,
Real Player, Windows Media Player, iTunes, etc.), document display program (e.g., Acrobat
Reader), or a component of an office suite (e.g., Microsoft Word, Excel, Powerpoint, etc.). Upon
receiving the attacker's content from the site, the victim user's browser invokes the vulnerable
client-side program passing it the attacker's exploit code. This exploit code allows the attacker to
install or execute programs of the attacker's choosing on the victim machine, using the privileges
of the user who ran the browser. The attack is partially mitigated because this victim user does
not have administrator credentials on this system. Still, the attacker can run programs with those
limited user privileges.
Step 2: Establish Reverse Shell Backdoor Using HTTPS
In Step 2, the attacker's exploit code installs a reverse shell backdoor program on the victim
machine. This program gives the attacker command shell access of the victim machine,
communicating between this system and the attacker using outbound HTTPS access from victim
to attacker. The backdoor traffic therefore appears to be regular encrypted outbound web traffic
as far as the enterprise firewall and network is concerned.
Steps 3 & 4: Dump Hashes and Use Pass-the-Hash Attack to Pivot
In Step 3, the attacker uses shell access of the initial victim system to load a local privilege
escalation exploit program onto the victim machine. This program allows the attacker to jump
from the limited privilege user account to full system privileges on this machine. Although
vendors frequently release patches to stop local privilege escalation attacks, many organizations
do not deploy such patches quickly, because such enterprises tend to focus exclusively on
patching remotely exploitable flaws. The attacker now dumps the password hashes for all
accounts on this local machine, including a local administrator account on the system.
In Step 4, instead of cracking the local administrator password, the attacker uses a Windows
pass-the-hash program to authenticate to another Windows machine on the enterprise internal
network, a fully patched client system on which this same victim user has full administrative
privileges. Using NTLMv1 or NTLMv2, Windows machines authenticate network access for the
Server Message Block (SMB) protocol based on user hashes and not the passwords themselves,
allowing the attacker to get access to the file system or run programs on the fully patched system
with local administrator privileges. Using these privileges, the attacker now dumps the password
hashes for all local accounts on this fully patched Windows machine.
Step 5: Pass the Hash to Compromise Domain Controller
In Step 5, the attacker uses a password hash from a local account on the fully patched Windows
client to access the domain controller system, again using a pass-the-hash attack to gain shell
access on the domain controller. Because the password for the local administrator account is
identical to the password for a domain administrator account, the password hashes for the two
accounts are identical. Therefore, the attacker can access the domain controller with full domain
administrator privileges, giving the attacker complete control over all other accounts and
machines in that domain.
Steps 6 and 7: Exfiltration
In Step 6, with full domain administrator privileges, the attacker now compromises a server
machine that stores secrets for the organization. In Step 7, the attacker exfiltrates this sensitive
information, consisting of over 200 Megabytes of data. The attacker pushes this data out to the
Internet from the server, again using HTTPS to encrypt the information, minimizing the chance
of it being detected.
Best Practices in Mitigation and Control
A few weeks ago, the Center for Strategic and International Studies published an updated version
of the Twenty Critical Controls for Effective Cyber Defense.
http://csis.org/files/publication/Twenty_Critical_Controls_for_Effective_Cyber_Defense_CAG.p
df
These controls reflect the consensus of many of the nation's top cyber defenders and attackers on
which specific controls must be implemented first to mitigate known cyber threats.
One of the most valuable uses of this report is to help organizations deploying the Twenty
Critical Security Controls to be certain that no critical new attacks have been found that would
force substantial changes in the Twenty Controls and at the same time to help people who are
implementing the Twenty Critical Security Controls to focus their attention on the elements of
the controls that need to be completed most immediately.
The Key Elements of these attacks and associated Controls:




User applications have vulnerabilities that can be exploited remotely,
o Controls 2 (Inventory of Software), 3 (Secure Configurations), and 10 (Vulnerability
Assessment and Remediation) can ensure that vulnerable software is accounted for,
identified for defensive planning, and remediated in a timely manner. Control 5
(Boundary Defenses) can provide some prevention/detection capability when attacks
are launched.
There is an increasing number of zero-days in these types of applications,
o Control 12 (Malware Defenses) is the most effective at mitigating many of these attacks
because it can ensure that malware entering the network is effectively contained.
Controls 2, 3, and 10 have minimal impact on zero-day exploits and Control 5 can
provide some prevention/detection capabilities against zero-days as well as known
exploits.
Successful exploitation grants the attacker the same privileges on the network as the user
and/or host that is compromised,
o Control 5 (Boundary Defenses) can ensure that compromised host systems (portable
and static) can be contained. Controls 8 (Controlled Use of Administrative Privileges)
and 9 (Controlled Access) limit what access the attacker has inside the enterprise once
they have successfully exploited a user application.
The attacker is masquerading as a legitimate user but is often performing actions that are not
typical for that user.
o Controls 6 (Audit Logs) and 11 (Account Monitoring and Control) can help identify
potentially malicious or suspicious behavior and Control 18 (Incident Response
Capability) can assist in both detection and recovery from a compromise.