OS X Zero-days on the Rise—A 2015 Midyear Review and Outlook on Advanced Attack Surfaces

2015 has so far been a very busy year for security researchers. The data leaked from Hacking Team shocked many, thanks to the multiple zero-days that were disclosed, as well as emails discussing the unscrupulous trade in exploits and “tools”.

Cybercriminals (including exploit kit authors) have been hard at work integrating these newly-discovered flaws into their “products” to victimize more people and organizations; meanwhile vendors have been racing to provide users with security updates. This is a good time to see how the threat landscape has been shaped by the vulnerabilities found so far this year.

Summary of the first half of 2015

As I noted earlier this year, the risks of using OS X, iOS, Android and Flash Player increased this year. Our own research, plus the leaked data from Hacking Team, reflects this trend. In the first half of the year our researchers discovered and disclosed 26 vulnerabilities; eight were zero-days.

Of these, two were discovered in high-profile advanced attacks, including Operation Pawn Storm and attacks in Korea and Japan.  We found two Flash zero-days (CVE-2015-0311 and CVE-2015-0313) by monitoring popular exploit kits as well as feedback from Trend Micro products. Four more zero-days were found as part of the Hacking Team data and later confirmed at least one (CVE-2015-5122) of them was quickly integrated in exploit kits. A total of 15 noteworthy zero-days were found in commonly used desktop applications by various researchers, with 8 of these found by our researchers.

Figure 1. Timeline of 2015 zero-days and critical vulnerabilities discovered by Trend Micro

The following is a list of the vulnerabilities Trend Micro has discovered to date in 2015, the affected software, and the relevant vendor bulletin (if any). The vulnerabilities in bold text represent zero-days:

  1. CVE-2014-4140 (Microsoft Internet Explorer, MS14-056)
  2. CVE-2015-0069 (Microsoft Internet Explorer, MS15-009)
  3. CVE-2015-0311 (Adobe Flash, APSB15-03)
  4. CVE-2015-0313 (Adobe Flash, APSA15-02)
  5. CVE-2015-1649 (Microsoft Office, MS15-033)
  6. CVE-2015-1683 (Microsoft Office, MS15-046)
  7. CVE-2015-1694 (Microsoft Internet Explorer, MS15-043)
  8. CVE-2015-1709 (Microsoft Internet Explorer, MS15-043)
  9. CVE-2015-1754 (Microsoft Internet Explorer, MS15-056)
  10. CVE-2015-1835 (Apache Cordova bulletin)
  11. CVE-2015-2391 (Microsoft Internet Explorer, MS15-065)
  12. CVE-2015-2415 (Microsoft Office, MS15-070)
  13. CVE-2015-2425 (Microsoft Internet Explorer, MS15-065)
  14. CVE-2015-2426 (Microsoft Windows, MS15-078)
  15. CVE-2015-2590 (Oracle Java – Oracle Critical Patch Update Advisory – July 2015)
  16. CVE-2015-3823 (Google Android)
  17. CVE-2015-3824 (Google Android)
  18. CVE-2015-3839 (Google Android)
  19. CVE-2015-3840 (Google Android)
  20. CVE-2015-3842 (Google Android)
  21. CVE-2015-3847 (Google Android)
  22. CVE-2015-3851 (Google Android)
  23. CVE-2015-3852 (Google Android)
  24. CVE-2015-5119 (Adobe Flash, APSA15-03)
  25. CVE-2015-5122 (Adobe Flash, APSA15-04)
  26. CVE-2015-5123 (Adobe Flash, APSB15-18)

We also discovered nine vulnerabilities on the Android platform. The number of vulnerabilities in mobile operating systems and OS X grew significantly from 2014, given the increase in attention given to it by blackhat hackers, white hat hackers, and security conferences. Attacks in the wild are also known: a zero-day exploit toolkit made by Hacking Team included well-crafted shellcode to attack OS X 64-bit systems. That means Hacking Team’s customers – the attackers – are also very interested in Mac users.

At least five Flash exploits were imported into exploit kits right after Adobe’s patches were released. However, new exploits targeting other applications were rarely seen during the same time period. It indicates that Flash Player was specifically targeted by attackers.


Figure 2. Distribution of zero-days discovered in desktop applications


Figure 3. Distribution of zero-day discoveries

New changes and the future

In addition to the multitude of Flash exploits found in the year to date, there were some other developments related to exploits and vulnerabilities:

  • After several difficult years, Adobe finally introduced new exploit mitigations into the current version of Flash Player (with some assistance from Google Project Zero). This has strengthened the Flash heap with isolation and stronger randomization, and added extra validation on the Vector.<*> length as well. As a result, vulnerabilities can no longer be exploited by currently known and common methods. I believe that these will keep out attackers in the short term by making it more difficult to write exploit code – so long as users are on current versions of Flash.
  • We discovered the first Java zero-day since 2013. It was used in new attacks related to Operation Pawn Storm, which targeted armed forces of a NATO country and a US defense organization. Two vulnerabilities were used in the exploit, and one (CVE-2015-2590) has been fixed by Oracle. It’s a good question if we will see large-scale attacks targeting Java return.
  • Vendors rapidly fixed the vulnerabilities leaked from the Hacking Team data. Although good news for now, these leaked attack templates will continue to have lingering effects over the long-run. Hacking Team was well-organized, and other attackers can definitely learn from them. It is not easy to create exploits that will run across multiple platforms and which will run without being spotted by the user. This is what Hacking Team has accomplished – not only did they create exploits, they created high-quality, well-designed ones. These could serve as templates that other attackers could learn from.

Based on the above points, I predict there will be more advanced attacks in the second half of 2015.

Macs will attract more attackers with the number of discovered OS X vulnerabilities gradually on the rise. Looking at CVE details, 63 were found in 2013, and another 111 in 2014. Even though the year is still far from finished, 178 have already been found in 2015 – beyond even the number found in 2014.  Trend Micro researchers have discovered some OS X vulnerabilities, and are working with Apple to provide patches. It’s still in the early days of OS X vulnerability research, and some skills from Windows exploits (such as return-oriented programming, or ROP) are also applicable to the OS X platform. Even some malware families (such as Flashback) have been “ported” as well.

In the first half of the year, there were several security incidents based on the research into OS X issues such as ThunderstrikeRoot-pipeEFI boot script vulnerability, and DYLD_PRINT_TO_FILE vulnerability. Fortunately, each of these exploits could only be used as part of a larger attack chain, instead of a complete attack.

This changed with the “Thunderstrike 2″ rootkit, which has already been found in the wild. It exploits the DYLD_PRINT_TO_FILE vulnerability to compromise Macs remotely (i.e., via a phishing email or malicious website). It can then spread from one Mac to another via Thunderbolt devices by exploiting an EFI vulnerability (much like USB malware on Windows PCs). Thunderstrike 2 is more serious for three reasons:

  • It can be remotely deployed and spread
  • You cannot remove it even you format your hard disk.
  • One of vulnerabilities does not have a patch yet.

All this indicates that Mac users are under increasing risk from similar attacks.

In addition, more evasive techniques like SecureSWF encryption may be used by attackers. They may also use Java once again. Windows 10’s new browser Microsoft Edge has been introduced, and while it does contain notable improvements, attackers are surely going to test its defenses as well. In more hopeful news, Flash exploits will be restricted to users who don’t have the latest version installed (although many users don’t upgrade to the newest version).

Vulnerability research and Trend Micro protection

Trend Micro researchers focus on analyzing exploit samples gathered from victims of targeted attacks. These are harvested from different channels such as honeypots, feedback from Trend Micro products, and submissions from customers and users. This comprehensive approach helps us discover many zero-day attacks in only half a year. We also proactively seek out vulnerabilities using static analysis, fuzzing, and penetration testing. We responsibly report vulnerabilities to vendors before hackers can use them.

Our researchers work closely with our development teams to ensure our products provide the best possible protection against exploits. Our products use the most effective detection methods, guided by our experience in exploit analysis. The collected samples and discovered vulnerabilities are used to validate the effectiveness of our products and solutions.

These and other efforts contribute to the positive test results of Trend Micro products in tests by independent laboratories like AV-Test, AV-Comparative, and NSS Labs. In particular for the second year in a row Trend Micro™ Deep Discovery has received a “recommended” rating and is the highest overall recommended breach detection system from NSS Labs, making it the most effective solution available. This shows the solution excellence of Deep Discovery, which is based on more than 20 issued patents and dozens of other pending patents.

Zero-day exploits are used primarily for carrying out targeted attacks. By definition, they are unknown and unpredictable, exposing the systems of even the most diligent security practitioners. In addition to benchmarking, our research helps us proactively detect zero-days and stay one step ahead of attackers. The existing Sandbox with Script Analyzer engine (which is part of Trend Micro Deep Discovery), can detect many of the zero-day exploits seen in 2015, without need for updates. The ability to detect zero-days is even more valuable to users than discovery and response. We were able to detect the following zero-days without any updates:

  • CVE-2015-0310
  • CVE-2015-0311
  • CVE-2015-0313
  • CVE-2015-2590
  • CVE-2015-3043
  • CVE-2015-3113
  • CVE-2015-5119
  • CVE-2015-5123

This benchmarking achievement and advanced detection shows that Trend Micro Deep Discovery is an industry leading APT/advanced threat solution, with our smart sandbox being one of the key contributors. The smart sandbox is customizable, and it not only has payload behavior detection, but it also has script and shell-code behavior detection. If you want to know more details, please visit my previous blog here.

Read more: OS X Zero-days on the Rise—A 2015 Midyear Review and Outlook on Advanced Attack Surfaces

Story added 12. August 2015, content source with full text you can find at link above.