Vulnerability Research and Disclosure: Evolving To Meet Targeted Attacks

Recently, both HP’s Zero Day Initiative (ZDI) and Google’s Project Zero published vulnerabilities in Microsoft products (specifically, Internet Explorer and Windows 8.1) because Redmond did not fix them within 90 days of the vulnerabilities being reported.

This has resulted in an argument between security researchers and software vendors on how vulnerabilities should be disclosed. A case where a vulnerability was disclosed without a patch has mixed results for end users:

• It pushes vendors to respond more quickly when vulnerabilities are disclosed to them in the future;
• However, it also increases the time window when attacks can be carried out using these unpatched vulnerabilities.

This is a long and complicated discussion that it would not be productive for me to jump into. Instead, we should look at why this particular debate has become more pointed recently. This is because the landscape of vulnerability research is changing.

For a long time, most vulnerabilities were discovered (and disclosed) by independent researchers (like white-hat hackers). At some level, they treat vulnerability research as a hobby. They have no incentive (or capability) to force vendors to fix vulnerabilities.

However, since 2010, many targeted attack campaigns have been discovered and documented. Professionals everywhere are now aware that everyone can be the victim of targeted attacks.  Many of these incidents use zero-day vulnerabilities to compromise user systems.

This has resulted in both established security vendors as well as startups expanding their ability to discover vulnerabilities in applications and websites.  In effect, the ecosystem surrounding vulnerability research has been changed by the need to deal with targeted attacks.

Trend Micro vulnerability research

Trend Micro has also been expanding its own vulnerability research capabilities. In 2014, we discovered 19 critical vulnerabilities in various applications that could be exploited  for remote code execution. Eleven of these affected Internet Explorer, three Adobe Flash Player, and two each affected Adobe Reader/Acrobat and Java. We also found one vulnerability in Netcore/Netis routers.

Figure 1. Discovered vulnerabilities in 2014

The 19 critical vulnerabilities (and affected software) which we found and reported to the appropriate vendors in 2014 are:

• CVE-2014-0290– Internet Explorer
• CVE-2014-0417– Java
• CVE-2014-0525– Adobe Acrobat/Reader
• CVE-2014-0536– Adobe Flash
• CVE-2014-0559– Adobe Flash
• CVE-2014-0581 – Adobe Flash
• CVE-2014-1753– Internet Explorer
• CVE-2014-1772– Internet Explorer
• CVE-2014-1782– Internet Explorer
• CVE-2014-1804– Internet Explorer
• CVE-2014-2401 – Java
• CVE-2014-2768– Internet Explorer
• CVE-2014-4057– Internet Explorer
• CVE-2014-4095– Internet Explorer
• CVE-2014-4097– Internet Explorer
• CVE-2014-4105– Internet Explorer
• CVE-2014-6368 – Internet Explorer
• CVE-2014-6443 – Netcore/Netis routers
• CVE-2014-8447 – Adobe Reader and Acrobat

Why vulnerability research matters

Vulnerability research has the following benefits for security vendors:

1. It allows vendors to anticipate the exploit landscape, and craft solutions in advance accordingly.

In 2013, the biggest source of exploit trouble was Java. However, we predicted that Internet Explorer and Adobe Flash would be the next targets. The reason was simple: attackers focus on the applications with the least security protection. Java had been forced by the events of 2013 to improve their security; other platforms would now be the focus of attackers.

We put our resources into investigating Internet Explorer and Flash from late 2013 onwards. As a result, we are able to discover zero-day vulnerabilities (like CVE-2014-8439, CVE-2015-0311, or CVE-2015-0313) as well as improve our ability to detect various commonly used exploit kits.

2. Validate solution effectiveness on unknown threats

Research into unpublished vulnerabilities will help confirm which solutions are or are not effective. For example, after Internet Explorer introduced “delay free”, most of UAF vulnerabilities could no longer be exploited with current techniques. This did not render attacks impossible to do, only difficult.

If a new method is found – whether discovered by attackers or disclosed by researchers – how can we know right away if our protection is effective of it can be bypassed without a sample? Our own findings can be used to simulate the condition in such a situation.

3. Respond effectively to zero-day and N-day exploits

Every solution has its own inherent difficulties and limitations. Some exploits like CVE-2014-6332 require multiple solutions that cover various aspects of the threat. Studying vulnerabilities in detail allows us to identify the root causes of the vulnerabilities and deliver the best solutions.

The exploit landscape of 2015

My colleague Pawan Kinger had earlier discussed the exploit landscape of 2014.  At the 2015 began, Google revealed three vulnerabilities in Mac OS X. This may serve as a significant sign to attackers that it’s worthwhile to investigate the code of open source projects. Users should consider using security products even on Macs, as well as mobile devices like iOS and Android smartphones/tablets.

Microsoft did a lot to improve the security of their products. Internet Explorer has been strengthened with various anti-exploit techniques. Windows 10 will add the Spartan browser, as well as more OS-level protection techniques like Control Flow Guard (CFG).  This will slow down attackers, as they need to understand these new mechanisms before creating new exploits,

However, Adobe Flash Player is less secure and exploits targeting it are very popular, as the multiple vulnerabilities in use (CVE-2014-0569, CVE-2014-8439, CVE-2014-2014-9163, and CVE-2015-0311) show. In those cases, more and more obfuscation and evasion are in use.

Trend Micro Deep Discovery contains a powerful sandbox that can detect and analyze threats entering the network perimeter, even without any pattern or engine updates. This allows IT administrators to detect threats – including attacks that use zero-day exploits – that attempt to target their organization. This information can be used by administrators to craft an appropriate response as necessary.