When we discuss exploit prevention, we often talk about “targeted applications.” This term refers to end-user applications that can be exploited by hackers for malicious purposes. There are a few requirements that define these applications:
Targeted Applications Receive External Content
In order to deliver the exploit, the attacker must be able to provide the user with specially crafted content that contains the malicious exploit, aka weaponized content. For example, this could be an HTML Web page that contains a hidden Java applet, or an email attachment, such as a Word document, Excel spreadsheet or PDF document, that contains hidden code. This code executes when the application opens the content and exploits vulnerabilities in these applications to download malware on the endpoint. If an application does not receive external content, it would be impossible for the attacker to deliver the weaponized content and the exploit.
They Have Vulnerabilities
Vulnerable applications provide the attacker with an opportunity to develop an exploit. Some applications contain more vulnerabilities than others, and some vulnerabilities are easier to exploit. An application that has many exploitable vulnerabilities will be targeted more often. Zero-day vulnerabilities, which are vulnerabilities that are unknown to the public, are more likely to be successfully exploited because there is no patch available. However, zero-day vulnerabilities are not a requirement. Interestingly, known application vulnerabilities are still exploited because many users do not apply security patches in a timely manner.
They Are Common Applications
Common applications that can be found on most user endpoints are targeted more often than uncommon, specialized applications. Of course, the more common the application is, the wider the attack surface it provides.
There Are Exploits Available
Exploit code must be developed in order to exploit the application’s vulnerability. If the vulnerability exists but no exploit code was developed, the risk remains theoretical.
Considering the listed requirements for targeted applications, it is not surprising that the most-targeted end-user applications are browsers, Java applications, Adobe Acrobat, Flash, Word, Excel, PowerPoint and Outlook. These are all common applications found on most user endpoints. They all receive external content that can be weaponized. They all contain vulnerabilities — most of them are known, but periodically, we hear about zero-day vulnerabilities. Also, exploit kits that contain exploit codes are widely available.
If we take, for example, the 2011 RSA breach, the attacker used a spear-phishing campaign to deliver a weaponized attachment to employees. The spear-phishing email included a weaponized Excel spreadsheet that contained a zero-day exploit object. The attachment exploited an Adobe Flash vulnerability (CVE-2011-0609) to silently install a customized remote access Trojan known as Poison Ivy RAT. Both Excel and Adobe Flash are commonly targeted applications that can be found on most user endpoints.
Any advanced threat protection and exploit prevention technology must ensure these targeted end-user applications are not successfully exploited. Since these applications are very different from each other, special controls may be required for each application. For example, Java applications are vulnerable to both native exploits (executed at the memory level) and applicative exploits (executed in the user space by breaking out of the Java virtual machine sandbox). Solutions that apply granular controls at the OS level to protect against native exploits wouldn’t be able to protect against applicative exploits.