This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Bing Sun, with assistance from Andy Cheng, Yingwu Han, Haifei Li, Qiang Liu, Shennan Wang, Jun Xie, Chong Xu, and Stanley Zhu.
Our research into threats to networks and applications shows us three top targets of malware developers. They aim zero-day and advanced persistent threat attacks against vulnerabilities in Microsoft Internet Explorer (including IE plug-ins and ActiveX), Adobe applications (including PDF and Flash), and Sun’s Java. We also see vulnerabilities in Microsoft Office applications and other Windows native components (such as GDI +, the kernel module, and drivers) exploited in the wild. These targets are favorites each year for attackers, so it’s not hard to predict where they will look in 2014.
- Browsers will remain the primary target for remote code execution attacks. Browsers have a range of factors that can be leveraged for exploitation, such as third-party plug-ins and various scripting-language support.
- The prevalence of vulnerabilities in Adobe applications will increase, perhaps related to source-code leakage. Adobe product vulnerabilities, especially in Flash, are often used in conjunction with other application vulnerabilities (in browsers, Office, etc.) to bypass protections.
- Java vulnerabilities and exploits, either of the Java virtual machine or native component layer, will remain very popular. Compared with memory corruption issues, Java exploits don’t require a shellcode-like payload; thus they are more reliable and easier to make. Although Java enhanced its security in Version 7.0—a security alert will prompt users before running any unsigned applet, for example—many users will choose to disable the alert to avoid the noise. Moreover, we suspect many Java users still use old or unsupported versions due to compatibility issues with legacy Java apps or simply bad habits. This would explain why so many old Java vulnerabilities are still actively exploited by exploit kits.
- Attackers will continue to find holes in Office. Our analysis of the recent Office exploit CVE-2013-3906 (TIFF embedded in .docx) reminded us that Office documents employ a compound-document format that is designed to allow many other types of content (such as OLE objects). Such a rich set of features, some perhaps unknown or hidden, will inspire attackers to find new weaknesses in these applications. From this exploit, we know that a Word document can embed a number of ActiveX binaries to do heap sprays, and can load an incompatible module (VB6) to completely disable data execution prevention for the entire process.
- Kernel-mode elevation of privilege vulnerabilities will be widely exploited in combination with other application vulnerabilities to achieve both temporary and persistent infections. As we see in Microsoft’s Patch Tuesday security bulletin data, there are often new patches for kernel-mode vulnerabilities, notably in the GUI subsystem (win32k.sys). Kernel-mode issues accounted for roughly one-quarter of all Microsoft product vulnerabilities in 2013. Considering the complexity of kernel-mode components, we can foresee that the number of kernel vulnerabilities of 2014 will be at least as high as in 2013.
To add to our worries, exploits have become more advanced in their reliability, persistence, and ability to bypass various protections. Further predictions:
- Native operating system and application protection mechanisms are not adequate to detect and stop advanced exploits. Attackers will increase their efforts to break these defenses in 2014. Although both OS and application vendors have made many security improvements, attackers can always find new ways to create reliable exploits, which was well demonstrated in the 2013 Pwn2Own hacker contest. For example, the combination of data execution prevention and address space layout randomization can be easily defeated by memory information leaks and return-oriented programming.
- Many exploits are now aware of the existence of network and endpoint security software. As we have observed during our research, the trick of API hook hopping has become a standard weapon of advanced shellcode to prevent its execution from being monitored. We have seen this technique in wide use, especially in zero-day exploits. We expect exploit tools such as Metasploit Framework and Canvas may soon add this feature.
- Many applications have implemented “sandbox” solutions to confine malicious behaviors in a restricted environment to minimize their impact. Office, Adobe Reader, and Google Chrome each have a sandbox implementation. To break out of an application-level sandbox and do malicious things to a whole system, an attacker will have to use more than one vulnerability and achieve a multistage exploitation. An elevation of privilege vulnerability can help an attacker escape from the sandbox and install malware on the compromised system. Here’s where a kernel-mode vulnerability will come in handy because it can let an attacker run code in Ring 0. We expect more attackers to take advantage of kernel exploits to escape application-level sandbox products.
- We believe exploits (especially zero day and advanced persistent threats) will soon evolve to include features that defeat sandboxing. First, exploits will become stealthier, especially during the postexploitation stage. They will try to leave as few footprints as possible because sandbox detection relies heavily on postinfection behaviors to identify an attack. Further, more exploits will begin to detect or even escape from a sandbox. Although the latter seems difficult, it is possible.