The life and times of an exploit

Just this week we released the latest Microsoft Security Intelligence Report that focuses on the threat landscape in the second half of 2014. The “featured intelligence” included in the new volume of the report examines the increased speed at which purveyors of commercial exploit kits are trying to take advantage of newly disclosed vulnerabilities, even in cases where security updates have been developed, released and deployed to hundreds of millions of systems around the world.

New exploits are appearing in commercial exploit kits faster
This new research shows us that such attackers are simply trying to take advantage of organizations that have lengthy or long lead time security update testing and deployment processes. Organizations with relatively slow or periodic security update deployment processes should use this research to evaluate whether their current processes continue to be effective at managing related risks or whether new efficiencies are warranted given the increased speed that some modern day attackers have been demonstrating recently. The research confirms what many of the CISOs and security professional I talk to already know: swiftly testing and applying security updates as they are released remains one of the best ways organizations can protect themselves from attacks.

Microsoft researchers used CVE-2014-6332, which was addressed in Security Bulletin MS14-064, as a case study. The vulnerability was reported to Microsoft, a security update was engineered and tested, and then deployed to hundreds of millions of systems around the world starting on Tuesday November 11th, 2014.

Tools that enable automated reverse engineering of security updates have been around for many years. But from past research we have seen that it can typically take several weeks or even months before such exploits appear as part of commercial exploit kits that attackers can rent or lease. In the second half of 2014 we saw that timeframe reduced dramatically. In the case of CVE-2014-6332 it was first observed being used in commercial exploit kits just 4 or 5 days after the first attacks in the wild were observed.
CVE-2014-6332

The Good News
The good news is that by the time these attacks started the security update, MS14-064, had been deployed to hundreds of millions of systems around the world making the exploit ineffective on them. Many organizations that practice rapid security update deployment processes were deploying the update before attackers could start broad attacks using exploit kits. For organizations that had slower deployment processes, Microsoft shared signature development guidance for CVE-2014-6332 with our Active Protections Program (MAPP) partners who released signatures at the same time Microsoft released MS14-064. This helps detect and block attacks using the vulnerability on unpatched systems, thus, in many cases, giving them more time to test and deploy the security update.

Deploying security updates quickly is the most effective mitigation
Once attackers have a working exploit they will continue to try to use it for years into the future. It’s important to promptly install all relevant security updates as soon as is practical as this remains one of the best ways to help defend users and systems against newly discovered threats. It also pays security dividends to use the products from MAPP partners as they work closely with Microsoft to help customers stay ahead of attackers.

You can get full details of this new research in volume 18 of the Microsoft Security Intelligence Report.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more