Client-side (or Personal Computer) vulnerabilities are “holes” in the operating system or applications that run on personal computers. In addition to the core operating system, email clients, browsers, document viewers, and multimedia applications are susceptible to exploits in this category.
The top trends in browser exploits for this year include:
- Web browsers in general made up the largest number of client-side vulnerabilities reported this year, and web browser plug-in ActiveX control accounts for three of the top five most popular web browser exploits.
- New FireFox threat disclosures surpassed Microsoft Internet Explorer’s new disclosures. As with most browser-related incidents, attacks happened when users did not keep browser’s patched and current.
- Organized and targeted web exploit toolkits are quickly replacing “one off’ web browser exploits because of the flexible delivery options that empower hackers to attack all a site’s visitors at once or customize victims based on data such as the visitor’s cookie set, geographic location, or referring url.
- Obfuscation found in client side exploits is on the rise. In fact, the amount of suspicious, obfuscated content almost doubled from Q1 to Q2 of this year.
- VBScript is now being used on 20% of malicious sites, up 13% from 2008. Researchers have observed that final attack code however is still usually JavaScript which has merely been obfuscated by Visual Basic Scripts.
While browser vulnerabilities represented the biggest threat in the first half of this year (50%), there was a sharp uptick in the amount of document format exploitations – from approximately 12% in 2008 to 26% this year.
In the past, document vulnerabilities were most often related to Office formats (.doc, .xls, .ppt and so on). In 2009 however, disclosures related to portable document format (.pdf) have taken over as the number one type of exploit and the number of vulnerabilities reported in the first half of 2009 has surpassed the number of incidents reported in all of 2008.
Researchers who worked to compile IBM X-Force Team‘s 2009 Mid-Year Trend & Risk Report expect the trend to continue.
.
This entry was posted on Friday, October 2nd, 2009 at 9:00 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
