Incident Response, Malware, Patch/Configuration Management, TDR, Vulnerability Management

Symantec finds readers, plug-ins new exploit haven

Malicious PDF files now are the cause of nearly half of all web-based attacks, according to Symantec's annual "Global Internet Security Threat Report."

The report, released Tuesday, showed suspicious PDF file downloads accounted for 49 percent of web-based attacks in 2009, up from 11 percent a year earlier.

The second most frequent web-based attack was caused by an Internet Explorer object file installation vulnerability, but the prevalence fell from 30 percent in 2008 to 18 percent last year. The flaw dates back to 2003 and has been patched by Microsoft.

"This underlines the importance of security measures and patches that address old issues as well as new ones," the report said.

Ben Greenbaum, senior research manager for Symantec Security Response, told that he wasn't surprised PDF bugs have overtaken browser vulnerabilities in the cybercriminal's arsenal.

"It's a widespread technology," he said. "Almost every machine has some kind of PDF renderer on it. Browsers and operating system patch time has been improving. Plug-ins and content renderers are the next logical target."

And it is increasingly likely that many of those PDF attacks are being perpetrated from nations outside of the United States. America still hosts the most malicious activity (19 percent), but the fact that countries such as Brazil (six percent) and India (four percent) are climbing the list is indicative that broadband penetration is fueling a surge in cybercrime.

"Attackers are continuing to move their operations to countries with emerging internet operations," Greenbaum said. "Broadband penetration supports criminal infrastructure. There's often this Wild West period where the technology is available, but there aren't laws set up to deal with the ramifications of that technology."

Meanwhile, 2009 was the year the targeted attack went mainstream, with high-visibility targets, such as Google, admitting they were compromised through tailored payloads that typically arrive via socially engineered emails, the report said. That trend should continue, considering hacking accounted for 60 percent of all identities exposed last year, compared to 22 percent in 2008.

The report also showed that while criminals may be relying on browser flaws less, there is no shortage of new ones to exploit. For example, there were 169 new flaws in the Mozilla Firefox browser in 2009, compared to 99 the year prior. The number of bugs in Apple Safari jumped from 40 to 94. However, the number of Internet Explorer (IE) vulnerabilities fell slightly, from 47 to 45.

"Researchers are looking harder because browsers are a target," Greenbaum said. "Attackers are looking harder because browsers are a target. And vendors are paying more attention because they know their browsers are a target."

Because IE's market share remains high, though gradually dwindling, it is unlikely that malware writers will abandon the browser for other options. Still, the report offered advice for IT administrators trying to protect against exploits:

Administrators should maintain a restrictive policy regarding which applications are allowed within the organization. The security of applications should be evaluated on a platform-by-platform basis to ensure that platform-specific security issues do not arise when the application is installed. This will ensure that desktops within the organization are not running unauthorized software."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.