(LiveHacking.Com) – One of the biggest threats to Internet users isn’t the actual individual vulnerabilities found in operating systems (like Windows or OS X), web browsers (like IE, Firefox and Chrome) or software (like Adobe Acrobat or Flash) but the exploit kits which combine the exploits for these known vulnerabilities into a kit which is then deployed by cyber criminals and malware writers to infect and control victim’s computers.
Although attacks can be launched (and have been launched) using individual vulnerabilities, the greatest damage is done with these exploit kits and the cyber criminals know it. And it seems that the speed of development of these kits is increasing. Until recently exploit kits tended to use exploits which have been known for at least a year and their development seemed to be slow. However according to research by M86 Security two “popular” exploit kits have been updated to exploit a vulnerability in Java which was discovered less than two months ago.
CVE-2011-3544, which was discovered by Michael ‘mihi’ Schierl, allows arbitrary Java code to run outside of the sandbox due to a vulnerability in the Rhino Script Engine. Not long after the discovery, an exploit module was published in Metasploit. And now the Blackhole exploit kit was modified to exploit clients that have Java installed, using the CVE-2011-3544 vulnerability. A few days later, a new version of Phoenix exploit kit 3.0 was released, only a few weeks after the release of its predecessor, Phoenix 2.9.
“The vulnerability is cross-platform and doesn’t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits. The concerning aspect is that the Blackhole exploit kit was updated even before a patch was released by the vendor” wrote Daniel Chechik.
What this shows is that cybercriminals aren’t actively relying on zero day flaws but rather they are using known (and patched) vulnerabilities.