Palo Alto Networks Traps Covers Top High Risk Vulnerabilities Highlighted By US-CERT

Jun 23, 2015
4 minutes

US-CERT recently issued an alert regarding the 30 most prevalent vulnerabilities in targeted attacks that took place in 2014. Each of these vulnerabilities, when exploited, equals a compromised endpoint.

From this compromised endpoint the attacker will expand to other endpoints and servers in your network until it reaches its goal, possibly stealing the crown jewels it set out for.

The CERT list is a valuable source, reflecting the actual threat landscape. Security decision makers can derive important knowledge from reading between its lines:

The prevailing attack scenario is still a user browsing or opening an attachment. According to the CERT list, the only exceptions are one OpenSSL and four ColdFusion vulnerabilities. The following discussion does not relate to these vulnerabilities.

Memory corruption, logical and Java Vulnerabilities:

CVE ID Targeted Application Vulnerability Type Zero Day
​CVE-2006-3227 Internet Explorer Charset obfuscation
CVE-2008-2244 MS Word Buffer overflow
CVE-2009-3129 MS Excel Excel featherhead record
​CVE-2009-3674 Internet Explorer Uninitialized memory corruption
​CVE-2009-3953 Adobe Reader\Acrobat Array overflow
CVE-2010-0806​ Internet Explorer Use after free yes
CVE-2010-3333 MS Office Stack buffer overflow
​CVE-2010-0188 Adobe Reader\Acrobat Stack buffer overflow yes
​CVE-2010-2883 Adobe Reader\Acrobat Stack buffer overflow yes
CVE-2011-0101 MS Excel Excel record parsing WriteAV
​CVE-2011-0611 Adobe Flash Player Object type confusion yes
​CVE-2011-2462 Adobe Reader\Acrobat Unspecified yes
CVE-2012-0158 MSOffice DOC\RTF Stack buffer overflow yes
CVE-2012-1856 MS Office Use after free
​CVE-2012-4792 Internet Explorer Use after free yes
CVE-2012-1723 Oracle Java Sandbox escape
CVE-2013-0074​ MS Silverlight Double Dereference
CVE-2013-1347 Internet Explorer Use after free yes
CVE-2013-2465 Oracle Java Sandbox escape
​CVE-2013-2729 Adobe Reader Integer overflow
CVE-2014-0322​ Internet Explorer Use after free yes
CVE-2014-1761 Word Object Type confusion yes
​CVE-2014-1776 Internet Explorer Use after free yes
CVE-2014-4114 MS Office logical yes

Credit: US-CERT 

The targeted applications are the most common ones.  This comes as no surprise. The list is solely comprised of Internet Explorer, Silverlight MS Office, Oracle Java and Adobe Flash, Reader and Acrobat.

Vulnerabilities from 2012 and backwards comprise more than half of the list. This tells us more about victims rather attackers. Apparently non-patching is a common practice. Updating vulnerable software is not prioritized. This enables attackers to successfully leverage old vulnerabilities (dating back as far as 2006!) for their purpose.

Browser and attachment attacks are equally distributed. The distribution of these two main attack vectors is around 50/50 with slightly more browser exploits shown. Browser exploits are common in watering hole attacks and are typically integrated in exploit kits. Attachments on the other hand (Office, Adobe Reader etc.) are utilized in spear phishing attacks, targeting specific users. The nearly equal distribution implies that both vectors remain areas of concern..

Half of these vulnerabilities are zero days.  One of the most pressing issues for current cybersecurity strategists is the correlation between sophistication and prevalence. The non -proportional zero day presence in the CERT list implies that today's zero day is tomorrow's common attack vector. Of course, there is a natural selection involved which determines which zero-days will spread and which will decline.

Most of the memory corruption vulnerabilities enable exploits to bypass DEP and ASLR. In recent years, Windows integrated exploit mitigations forced attackers to adjust how exploits are written. The CERT list suggests they have succeeded; ROP, for example is common to almost all exploits shown. This illustrates once more the ever changing nature of the cyber threat arena in which whenever a security measure is introduced, attackers reflect, learn, reshape and attack in alternative patterns.

Addressing the Security Gap

Palo Alto Networks Traps directly addresses the security gaps reflected in the CERT list.

Traps prevents exploitation in real time by mitigating the core techniques that are common to all exploits. Exploitations of the vulnerabilities on the CERT list are different from each other but all of them converge into a known pool of techniques. Traps proactively obstructs these techniques, providing protection without relying on signatures or prior knowledge.

Learn more about advanced endpoint protection here.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.