Hackers milk massive increase in browser plug-in bugs

Computerworld - Hackers loosed a record number of malicious code threats in the first six months of 2007, Symantec Corp. said today, with the most dangerous targeting vulnerabilities in browser plug-ins -- the weak link in Web 2.0.

"Web 2.0 is barely coined [as a term], and we're seeing hundreds of vulnerabilities aimed at it," said Alfred Huger, vice president of engineering for Symantec's security response group. "There's been a massive increase in the number of malicious threats, thanks to automation. In six months, we saw an increase of 185% in the number of samples of malicious code. And they weren't just variants, but entirely new binaries."

According to Symantec's just-published Internet Security Threat Report, the security vendor tagged 212,101 malware threats during the six-month stretch from January to June 2007. Trojans made up the majority of the top 50 threats.

But at the spear-point of the threat explosion, said Huger, were a rash of exploits that leveraged vulnerabilities in browser plug-ins, the typically single-purpose, third-party applications that work with a browser to play music, display certain file types or make possible software-as-a-service.

"We really saw an encroachment on the Web 2.0 space by attackers," said Huger. "Browser plug-in issues went through the roof." Symantec documented 237 plug-in vulnerabilities in the first half of the year, he added, compared with just 74 in the second half of 2006, a 320% jump. ActiveX controls, the Microsoft Corp. plug-in technology that it and numerous third-party developers use, made up the bulk of the buggy plug-ins, but others, including Apple Inc.'s QuickTime and Adobe Systems Inc.'s Acrobat Reader, were also fingered by Symantec. The former accounted for 18 vulnerabilities in the first six months, for example, while two flaws were identified in the latter.

In some ways, attackers have been forced to sniff out vulnerabilities in plug-ins, said Huger, because browser developers, including Microsoft and Mozilla Corp., have done a good job of locking down their applications. "Plug-ins are an easy mark," he said. "They're easy to exploit, easier than the browsers now, and attackers get the same benefit by attacking them."

With more content, services and even software delivered through the browser, Huger expects that the attack trend will only continue. "The good news is that standard security products will still protect you from these threats," he said. "If you have any broad [security suite] protection in place, you're pretty safe."

A growing number of the attacks launched against browser plug-ins came from multistrike attacker tool kits, such as the notorious Mpack -- and its successors -- in the January-through-June time frame, said Huger. "Mpack accounted for a very, very large number" of successful exploits in the first half of 2007, he said. Of the eight exploits deployed by IcePack -- a follow-on to Mpack -- half target browser plug-ins.