Old Exploits Die Hard, Says Microsoft Report

Microsoft’s twice-annual SIR bellwether security report highlights malware, fraudulent login attempts and the staying power of really old software bugs.

Microsoft’s Security Intelligence Report painted a bleak picture when it comes to malware, fraudulent login attempts and the staying power of really old exploits. Key findings in the 198-page biannual report run the gamut illustrating how old threats die hard and what new threats are on the horizon.

The report, released Thursday, analyzes the threat landscape of exploits, vulnerabilities, and malware using data for the third and fourth quarters of 2015. Data is culled from its own internet services and more than 600 million computers worldwide running services such as Windows Defender and the Microsoft Malicious Software Removal Tool.

Certainly, there were plenty of bright spots in the report, especially if you lived in North America where, according to Microsoft, we are one of the least likely to become infected compared to other parts of the world. Another bright spot overall, while exploits and malware attacks are on the rise the number of times attackers successfully infect are declining.

But the “too long: didn’t read” takeaway is simple for Microsoft’s SIR. “Threats don’t change as fast as we think they do. Many of the issues we are faced with today are the same as they have been for years,” said Dan Guido a security expert and founder of Trail of Bits. “Many of the exploits and malware out there only affect older systems, and Microsoft has done a great job at designing Windows 10 and other, current generation, software to avoid them entirely. One of the easiest ways you can remove yourself from harm’s way is to buy a new computer and get rid of an older one.”


The longer version, Microsoft observed a rise in vulnerability disclosures of 9.4 percent in the second half of 2015 compared to the previous six months. Fifty percent of those vulnerabilities were considered medium risk by Microsoft. Disclosures of high-severity vulnerabilities increased 41.7 percent across the industry in the second half of 2015, accounting for 41.8 percent of all vulnerabilities.

Attack vectors for those vulnerabilities were most likely third-party Windows applications followed by the core operating system, then OS applications and web browsers, according to Microsoft.

Exploit Kits

Microsoft SIR Exploit Data

Quarterly trends for the top 10 malware and unwanted software families detected on domain-joined computers in 2H15, by percentage of computers encountering each family.

After decreasing steadily for more than a year, encounters with exploit kits increased by more than a third from the third quarter of 2015 compared fourth, according to Microsoft. Exploit kits remained the most commonly encountered type of exploit in the second half of the year, with an encounter rate more than four times that of the next most common type of exploit, according Microsoft.

The most predominant exploit kit was Angler, and the most targeted operating system flaw was CVE-2010-2568, a vulnerability in Windows Shell. CVE-2010-2568, a vulnerability well known for its usage in the Stuxnet malware family in June 2010, has had a patch available since Aug. 2, 2010 but many systems are still being successfully targeted.

“Recently, the industry has seen a rise on attacks exploiting 10-year-old vulnerabilities to gain access and encrypt systems. The question is, why haven’t these old vulnerabilities been fixed yet?” said Gavin Millard, EMEA Technical Director for Tenable Network Security. “It’s critically important that organizations don’t forget to patch the long forgotten vulnerabilities still lingering that can be easily exploited,” he said.

Malware on the Move

Top categories of malware and unwanted software detected by Windows Defender and System Center Endpoint Protection at Microsoft in 2H15

Top categories of malware and unwanted software detected by Windows Defender and System Center Endpoint Protection at Microsoft in 2H15

As for malware, according Microsoft, the number of worldwide PC hit with attempted malware infection in the second half of 2015 shot up to 20 percent compared to the previous year, a 6 percent rise. Ransomware accounted for less than 0.5 percent of malware that attempted to infect Windows PCs. Ransomware, Microsoft reported, is being used by attackers more judiciously in targeted attacks.

Two new browser modifiers, Win32/Diplugem and Win32/SupTab, were primarily responsible for the increased encounter rate of malware for in the third quarter of 2015.

One interesting malware finding, PCs managed by IT are much less likely to encounter malware, with about 11 percent of domain-joined PCs encountering malware in the fourth quarter, compared to about 22 percent of non-domain-joined systems, according to Microsoft.

Password Attacks

Microsoft tapped intelligence from Microsoft Accounts (Outlook.com, OneDrive and Skype) and also its Azure Active Directory (used for Office 365, Box and cloud apps) and measured how many times and how successful attackers were at compromising accounts via phishing, brute force, social engineering, and other types of attacks.

“From all this data gathering and analysis, each day Microsoft’s account protection systems automatically detect and prevent more than 10 million attacks, from tens of thousands of locations, including millions of attacks where the attacker has valid credentials,” according to Microsoft.

Microsoft reports its accounts have in excess of 13 billion logins per day, of which 10 million attempts are flagged as fraudulent.

Captain Obvious Recommendations

Microsoft’s recommended solutions won’t surprise any seasoned security experts. Microsoft recommends:

  • Enterprise networks should consider blocking certain types of websites that don’t serve the interest of the business.
  • Prepare your network to be forensically ready, so that you can achieve containment and recovery if a compromise occurs.
  • Make sure that your organization’s internet-facing assets are always running up-to-date applications and security updates, and that they are regularly audited for suspicious files and activity.
  • Conduct enterprise software security awareness training, and build awareness of malware prevention.
  • Institute a strong network firewall and proxy.
  • Apply all security updates as soon as they become available.
  • Consider disabling features, such as EPS or macros, in powerful products like Microsoft Office by using Group Policy.
  • Enterprise networks should segregate high business impact data holding segments from internet-connected networks.

Suggested articles