ESET has published a new report focusing on Windows vulnerabilities fixed by Microsoft in 2014 and their exploitation.
According to researchers, of all the vulnerabilities addressed by Microsoft last year, most of them affected Internet Explorer. Of the total of approximately 240 security holes, seven were exploited by malicious actors before the company got a chance to patch them (zero-days). Compared to 2013, the number of Internet Explorer flaws doubled last year.
A large majority of the Internet Explorer bugs addressed by Microsoft were remote code execution (RCE) vulnerabilities that could have been exploited for malware distribution through drive-by download attacks, the study shows.
Last year, Microsoft also addressed tens of vulnerabilities affecting kernel mode drivers, the .NET framework, the Windows GUI subsystem driver (win32k.sys), Office, and various Windows user mode components. Nine of these security holes were zero-days, ESET noted.
Vulnerabilities in Win32K, kernel mode drivers, and .NET were mostly leveraged for local privilege escalation (LPE). Microsoft Office vulnerabilities, on the other hand, were largely exploited for remote code execution. Flaws in Windows user mode components were used for both RCE and LPE, the security firm said.
Compared to 2013, the number of vulnerabilities patched by Microsoft in its products, with the exception of Internet Explorer, decreased considerably in 2014.
“We can predict for next year that drive-by download attacks will remain as the main avenue for exploiting vulnerabilities and delivering malicious code. Due to the significant and increasing complexity of exploit development, we also can predict that such exploits will continue to be developed by specialist engineers for use in targeted attacks,” Baranov Artem, malware researcher at ESET Russia, noted in the report.
ESET’s report also highlights the various mitigation techniques introduced by Microsoft last year for Windows, Internet Explorer, and the EMET tool.
Coordinated vulnerability disclosure
In a blog post published on Sunday, Chris Betz, senior director of Microsoft’s Security Response Center, called for better coordinated vulnerability disclosure.
“Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree,” Betz said. “Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp.”
The blog post came in response to Google’s decision to release the details of a Windows 8.1 vulnerability before Microsoft could fix it. Google published the information 90 days after Microsoft was notified, as per the company’s disclosure policy. Microsoft said it had asked Google to wait until January 13, but the search giant apparently refused to do so.
Last week, Microsoft announced its decision to provide advance Patch Tuesday notifications only to Premier customers and organizations involved in the company’s security program.