Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    February 2013
    S M T W T F S
    « Jan    
     12
    3456789
    10111213141516
    17181920212223
    2425262728  
    • About Us
    Trendlabs Security Intelligence > Snapshot of Exploit Documents for April 2012

    Targeted attacks that are part of APT campaigns commonly use exploit documents in their social engineering ploy. These exploit documents serve as unassuming carriers of the attacker’s payload malware into the target’s computer. Since exploit documents are one of the first arrival vectors of APT malware, a little knowledge of the most exploited software and vulnerability will go a long way in removing low hanging security holes within one’s organization.

    Taking data from exploit documents gathered last April, we can see that the most exploited MS Office software is MS Word.

    The big reason for this is that two of the most reliable exploits used by attackers targeted CVE-2010-3333 and CVE-2012-0158, which are MS Word vulnerabilities.

    Coming in at third place as the most common vulnerabilities exploited is CVE-2009-3129, which is an MS Excel software bug. This graph fits in perfectly with the first one as Excel is the second most exploited Office software.

    For the past two years, exploit documents have extensively used CVE-2010-3333 to install malware. However, just last April, it was quickly surpassed by CVE-2012-0158. Its rise as the exploit of choice by attackers are well-documented by Trend Micro researches on two blog entries found here and here.

    From these graphs, we can easily deduce that:

    • Reliable exploits have long lifespans. Attackers would rather use old reliable exploits such as CVE-2010-3333 that are proven to work instead of experimenting with new, but unreliable exploits.
    • A lot of organizations do not update their software. The wide use of a two year old vulnerability just shows patch levels in many industries are not updated.
    • Rapid adoption and use of a new reliable exploit. Within a span of two weeks, CVE-2012-0158 went from zero to actually surpassing CVE-2010-3333 as the preferred exploit of attackers. This just shows that the time window for patching critical vulnerabilities is small, which requires due diligence and discipline on patch management by organizations.

    Trend Micro Deep Security protects users this threat, specifically via the following rules:

    • 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File (CVE-2012-0158)
    • 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
    • 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)




    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Wednesday, May 9th, 2012 at 11:38 pm and is filed under Exploits, Targeted Attacks, Vulnerabilities . Both comments and pings are currently closed.



    Comments are closed.



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2011 Trend Micro Inc. All rights reserved. Legal Notice