The Bromium Labs Research Brief entitled “Endpoint Exploitation Trends H1 2014” released on July 22 shows Microsoft’s Internet Explorer in the lead for a crown it probably doesn’t want — namely, “the historic high number of security patches in over a decade” (press release). Here’s a graph snipped from that documents that counts publicly reported vulnerabilities for a number of browsers and popular related tools and technologies (2013 in light blue; 2014 in salmon).
MSIE overtakes Firefox, Chrome and Java (ahead in 2013) to take the lead for reported vulnerabilities in the first half of 2014.
[Report: Pg3; data originates from the US NIST National Vulnerability Database, aka NVD]
The report states further: “The notable aspect for this year thus far in 2014 is that Internet Explorer was the most patched and also one of the most exploited products, surpassing Oracle Java, Adobe Flash, and others in the fray. Bromium Labs believes that the browser will likely continue to be the sweet spot for attackers” (page 3). Furthermore, Bromium’s analysis shows that attackers have been able to bypass Microsoft’s Address Space Layout Randomization (ASLR) technology using a technique called Action Script Spray to dynamically create return-oriented programming (ROP) chains, and reports that two such exploits have already been identified in 2014. Likewise, data execution prevention (DEP) blocks seem less effective than initial descriptions (and tests) of the technology promised.
One potentially positive trend documented in the report is a shortened time frame between the day an exploit is reported to the day a patch becomes available. A figure on page 4 of the report shows that lag times (in days) have decreased dramatically for IE9 (over 90 days), to IE10 (over 10 days), to IE11 (under 5 days). But on page 7 of the report, Bromium muddies the waters a bit with this remark: “Web browser release cycles are compressing and the interval between the general availability of a new release and the appearance of the first security patches has been decreasing recently. This may represent greater efforts on the part of software manufacturers to secure their products, or it may represent products being released to market with less security testing than earlier versions received.” To buttress the second possibility, Bromium’s researchers point to the increasing popularity of “use-after-free” vulnerabilities in zero-day exploits — a point worth learning more about, and pondering carefully (see this Mitre CWE definition for more info).
What does this portend for Windows system and security administrators? Alas, it means the common perception that IE remains a source of security vulnerability remains as true (or truer) today than it has been in the past, and that erecting defense in depth around (or avoiding or banning) its use is a top priority. And I thought newer generations of IE were supposed to be more secure than older ones? Go figure!