“Pieces of software will always have vulnerabilities, and there will always be criminals creating exploits for those vulnerabilities,” says F-Secure senior researcher Timo Hirvonen. “It’s become a whole business model for these criminals, because the security patches that companies release basically expose the vulnerabilities in software. The criminals reverse engineer the patches to find vulnerabilities, and then they target those vulnerabilities with exploits they develop.”
Recent research from F-Secure highlights the significance of exploits in the digital threat landscape. According to F-Secure Labs, exploits accounted for 40% of the top detections from crimeware campaigns during the latter half of 2014. The Angler exploit kit, which is a toolkit that gives criminals a simple set of software tools to help them create malware campaigns, was identified as the top digital threat in North America in F-Secure’s most recent threat report, and was included in the top five threats facing Europe and Oceania.
While previous exploit kits have focused on vulnerabilities in Java and older versions of Microsoft Windows, the past six months have seen a surge in exploits kits targeting Adobe’s popular Flash plug-in. F-Secure security advisor Sean Sullivan recently highlighted how the Angler exploit kit has preyed on Flash vulnerabilities, and characterised the plug-in as a “low hanging fruit” to illustrate the popularity of the software as a target.*
Hirvonen developed an open-source tool called Sulo to help security researchers analyse potentially malicious Flash files, and helped Adobe discover an unpatched Flash vulnerability last January.** According to Hirvonen, one way for people to defend themselves against exploits is to make sure their software stays updated, thereby eliminating many of the vulnerabilities that expose computers to exploit-based attacks. “Software vendors are quite good about releasing patches for these vulnerabilities, so it’s important that people use the patches as soon as they become available. Not keeping software updated is a security risk that many people take without even realising it, which motivates criminals to continue using these types of attack strategies.”