News

Adobe Reader and Microsoft IE Top Web Security Concerns

• By Kurt Mackie
• July 16, 2010

The majority of Internet security threats come from unpatched vulnerabilities in Adobe Acrobat/Reader and Microsoft's Internet Explorer browser, according to an industry study.

Those two programs topped a list of the "15 most observed vulnerabilities" on the Web, according to M86 Security's "Security Labs Report: January-June 2010 Recap," released this week. The vulnerabilities persist even though Adobe and Microsoft have issued fixes for the flaws. Some users apparently haven't applied the patches, which date back to 2006 in one case.

Topping the list of commonly unpatched vulnerabilities is the Adobe Acrobat/Reader "CollectEmailInfo" flaw, for which a patch was issued in 2008. Next is the "deleted object event handling process" flaw in Internet Explorer, which had a patch issued this year. An "RDS ActiveX" flaw in Microsoft Internet Explorer ranks third on the list, even though a patch was issued in 2006.

All told, according to report, Microsoft Internet Explorer constituted five of the top 15 vulnerabilities, while Adobe Reader represented four of the top 15 vulnerabilities. M86 Security's complete list of vulnerabilities can be found in the report here (PDF download).

The report, which covers the first half of this year, highlighted some trends to watch. One "worrisome development" is the rise of "advanced persistent threat" attacks that infamously targeted Google, Adobe, Juniper Networks and other companies. The Google attack is typically known as "operation aurora" and attributed to Chinese hackers using an Internet Explorer 6 flaw.

According to M86 Security's report, advanced persistent threat attacks involve a number of steps. First, the attacker searches out employee IDs to infiltrate a company's social network. Next, URLs leading to malicious Web sites are sent through the social network. When a user clicks on the link, it redirects the person's browser to a malicious Web site housing an exploit that can spread malware.

Another rising threat is a technique of code obfuscation using Adobe Flash, according to the report. The attack avoids detection by combining "JavaScript with Adobe's ActionScript scripting language." ActionScript can work with JavaScript on the parent Web page to enable two-way communications, which makes it difficult to detect the exploits.

Java-based exploits also represent a rising trend, the study found. Typically, these attacks take place when "an iFrame or JavaScript is injected into a Web page of a legitimate site that redirects the browser to a malicious Web page."

Most malicious code on the Web is hosted on compromised existing Web sites, rather than sites devised by criminals, according to the report. The United States leads as the No. 1 host country for malware at 43 percent, followed by China (14 percent) and Russia (four percent).

Spam is on the rise, despite the demise of the McColo hosting provider and botnets. Spam represents 88 percent of all inbound e-mail and has shown a 14 percent upward trend since January. Spam is mostly used to push pharmaceutical sales, particularly the "Canadian Pharmacy" brand, according to the report.