Results of 2014: Windows threats and exploitation
Today we publish our report for the year, which includes information on various threats, as well as data on current trends in cyber attacks. Over the past year, we have documented the emergence of many new and different malware for Windows, as well as the development of existing families. It's not only Windows, but also Google Android and Apple iOS mobile platforms.
Our report also contains detailed information about closed vulnerabilities in various components of Windows and MS Office. Many of these vulnerabilities were used by cybercriminals in cyber attacks on users (the so-called 0day). Last year, we issued a separate press release on the famous Trojan BlackEnergy. It was spread using the 0day vulnerability in Office.
The report includes the following information:
Over the past year, we have seen many exploits used by attackers to organize drive-by download attacks. Such attacks are very beneficial for them because they allow you to install malicious programs on a user's computer in a hidden mode (so-called silently installing ). The report contains detailed information about the nature of such cyber attacks. Since Internet Explorer (IE) is one of the most frequent targets of attackers, we included in the report detailed information about its key security innovations that were added by Microsoft last year and help the user defend against such attacks.
')
In the diagram below, you can see that for IE, Microsoft has closed the most vulnerabilities among all the other components of Windows and its Office product. Virtually all of these vulnerabilities are of the Remote Code Execution type and can be used by attackers to organize drive-by download attacks. The IE diagram compares with such components as the kernel-mode driver in the Windows GUI-subsystem win32k.sys, other kernel-mode drivers, the .NET Framework product, custom Windows components, and also the Office product.
Attackers can remotely execute malicious code in a browser using a specially crafted web page. Such a web page contains a special code called an exploit that is used to create the necessary conditions for the triggering of a vulnerability. Usually attackers use such exploits to install malware when they come across a vulnerable version of Windows. This attack is drive-by-download and is a key trend in exploiting IE, as shown in the diagram below.
Our report includes detailed information about the prevention mechanisms that Microsoft added to Windows and IE last year. A section describing these mechanisms contains information about Windows, Internet Explorer, and EMET. Such mechanisms allow you to protect the user from the exploitation of a whole range of vulnerabilities. For example, Out-of-date ActiveX control blocking is very useful for blocking all exploits that exploit vulnerabilities in older versions of the oracle Java and MS Silverlight plug-ins.
The report also contains a description of popular Local Privilege Escalation (LPE) cyber attacks, which are used by attackers to bypass the sandbox defense mechanisms of web browsers and launch malicious code with high privileges in the system or in kernel mode. Last year, some vulnerabilities were closed for the win32k.sys driver, which is the source of such vulnerabilities. Unfortunately, today win32k.sys is still the main source of LPE vulnerabilities in Windows.
The full report can be downloaded from this link .
Our report also contains detailed information about closed vulnerabilities in various components of Windows and MS Office. Many of these vulnerabilities were used by cybercriminals in cyber attacks on users (the so-called 0day). Last year, we issued a separate press release on the famous Trojan BlackEnergy. It was spread using the 0day vulnerability in Office.
The report includes the following information:
- Actual malware distribution vectors.
- The most active threats to Windows.
- Trends for Windows.
- Examples of threats for iOS.
- Information on Microsoft closed vulnerabilities in Windows & Office.
- Statistics of closed vulnerabilities and their comparison with 2013
- A detailed description of the key mechanisms for operating Windows.
- Information about in-the-wild exploited vulnerabilities, including a special table for ASLR bypass vulnerabilities.
- Actual methods of exploitation and prevention of exploitation for the Internet Explorer web browser.
Over the past year, we have seen many exploits used by attackers to organize drive-by download attacks. Such attacks are very beneficial for them because they allow you to install malicious programs on a user's computer in a hidden mode (so-called silently installing ). The report contains detailed information about the nature of such cyber attacks. Since Internet Explorer (IE) is one of the most frequent targets of attackers, we included in the report detailed information about its key security innovations that were added by Microsoft last year and help the user defend against such attacks.
')
In the diagram below, you can see that for IE, Microsoft has closed the most vulnerabilities among all the other components of Windows and its Office product. Virtually all of these vulnerabilities are of the Remote Code Execution type and can be used by attackers to organize drive-by download attacks. The IE diagram compares with such components as the kernel-mode driver in the Windows GUI-subsystem win32k.sys, other kernel-mode drivers, the .NET Framework product, custom Windows components, and also the Office product.
Attackers can remotely execute malicious code in a browser using a specially crafted web page. Such a web page contains a special code called an exploit that is used to create the necessary conditions for the triggering of a vulnerability. Usually attackers use such exploits to install malware when they come across a vulnerable version of Windows. This attack is drive-by-download and is a key trend in exploiting IE, as shown in the diagram below.
Our report includes detailed information about the prevention mechanisms that Microsoft added to Windows and IE last year. A section describing these mechanisms contains information about Windows, Internet Explorer, and EMET. Such mechanisms allow you to protect the user from the exploitation of a whole range of vulnerabilities. For example, Out-of-date ActiveX control blocking is very useful for blocking all exploits that exploit vulnerabilities in older versions of the oracle Java and MS Silverlight plug-ins.
The report also contains a description of popular Local Privilege Escalation (LPE) cyber attacks, which are used by attackers to bypass the sandbox defense mechanisms of web browsers and launch malicious code with high privileges in the system or in kernel mode. Last year, some vulnerabilities were closed for the win32k.sys driver, which is the source of such vulnerabilities. Unfortunately, today win32k.sys is still the main source of LPE vulnerabilities in Windows.
The full report can be downloaded from this link .
Source: https://habr.com/ru/post/248977/
All Articles