New data from the recently-published Security Intelligence Report volume 16 (SIRv16) suggests that keeping Java up-to-date with security updates is one of the most effective ways to protect environments from attackers. One of the most popular tactics attackers use to try to exploit vulnerabilities in Java is using exploit kits.
Exploit kits used by cybercriminals to attack software have been around since at least 2006 in various forms. In 2010, the initial release of the Blackhole exploit kit made it easier than ever to configure and operate malicious websites designed to try to infect unpatched systems with malware. I have written about this particular exploit kit before: The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date.
Figure 1: How the Blackhole exploit kit works
Besides ease of use, the key feature to the success of these kits is that exploit kit makers continually update the set of exploits included in their kits: adding new exploits as they are discovered and discarding old exploits that are no longer effective or are considered too likely to be detected by security software.
Early exploit kits targeted vulnerabilities in a diverse set of products from several different vendors. Over the years, kit makers have gradually narrowed down the list of products they target to a handful of widely deployed products and components, notably Adobe Flash and Reader, various Microsoft products, and Oracle Java. More recently, kit makers have increasingly focused on vulnerabilities in out-of-date versions of the Java Runtime Environment (JRE). The JRE is often installed on desktop and laptop computers as a browser add-on. In 2013, nearly three-quarters of the exploits used by exploit kits targeted JRE vulnerabilities.
Although exploit kit makers continue to include exploits for a variety of programs and components, not all of the exploits get exposed to every computer that visits a malicious web page. To reduce their chances of detection by security software, many exploit kits include code that allows them to expose only a subset of the vulnerabilities in the kit based on the characteristics of the visiting computer, or on which exploits have been the most successful in the past.
Microsoft real time anti-malware software shows us how many systems encounter and block such exploits. Figure 2 examines computers with detections for exploits that are known to be targeted by exploit kits. Note: detections for Common Vulnerabilities and Exposures (CVEs) that are not known to be exploited by exploit kits, are not included in this chart, nor are detections that cannot be associated with a specific CVE.
As seen in Figure 2, over the past few years, exploit kit-related detections have become increasingly dominated by JRE exploits. In 2013, JRE exploits accounted for between 84.6 and 98.5 percent of exploit kit-related detections each month, with Adobe Reader exploits a distant second. Exploits targeting all other products, including Internet Explorer, accounted for just 1.1 percent of detections each month in 2013 on average.
Figure 2: Exploit kit-related malware detections, 2010–2013, by product or component targeted. Note: Computer totals are expressed as percentages of computers that encountered the aforementioned exploits, not as percentages of all reporting computers
Figure 3: Quarterly encounter rate trends for the top exploit families detected and blocked by Microsoft real-time antimalware products in the second half of 2013, shaded according to relative prevalence. Note: Totals for individual vulnerabilities do not include exploits that were detected as part of exploit kits.
Technologies such as DEP and ASLR are a likely factor in exploit kit authors’ increasing preference for exploits that don’t involve memory safety, as shown in Figure 5. Given this data, you might wonder how you can check if applications in your environment are using mitigations like ASLR and DEP. Microsoft offers some free tools that will help you audit the security of your software, like BinScope Binary Analyzer, and EMET.
Figure 4: Exploit kit-related malware detections, 2010–2013, by type of vulnerability
Reducing the risk
The following security precautions can help protect your organization’s systems from exploit kits:
- Use the newest versions of applications: Windows 8.1, Internet Explorer 11, and Office 2013 all take advantage of improved security features that more effectively mitigate techniques that are currently being used to exploit vulnerabilities. Deploying these product versions widely can help mitigate the risk an organization faces from several of the most commonly detected exploits. Using the 64-bit edition of Internet Explorer 11 with Enhanced Protected Mode enabled can also help protect users from a range of Internet-borne threats.
- Use the Enhanced Mitigation Experience Toolkit (EMET): EMET can be used to protect applications that run on all supported versions of Windows. The features included in EMET are specifically designed to break exploitation techniques that are currently used by attackers.
- Stay current on security updates: most of the examined vulnerabilities only showed signs of being exploited after a security update had been made available. Exploit kits, in particular, tended to target vulnerabilities for which security updates had already been available for a significant amount of time. Installing security updates as soon as they are available can help minimize risk.
- Keep Oracle JRE updated: this new data suggests that keeping JRE up-to-date continues to be a highly impactful security mitigation.