IE is back to being Internet Exploder

rage-explosionAfter years of keeping its security flaws down in its Internet Explorer range, Microsoft appears to be under siege from malware writers.

Bromium Labs analysed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013.

This makes IE worse than Java and Flash for vulnerabilities.

It does not appear to be Microsoft’s fault. Hackers had been increasingly targeting Internet Explorer and Vole had responded by a progressively shorter time to first patch for its past two releases.

In contrast, the number of Java zero-days have declined and in the first six months of 2014, there has not been a single public Java exploit.

Bromium thinks that so much attention was paid to JAVA exploits in 2013 and countermeasures such as disabling Java may have had a role in forcing attackers to switch to new targets this year. This resulted in a drop in Java being targeted generally.

The hackers have been using Action Script Spray which is an emerging technique that bypasses address space layout randomisation (ASLR) with a return-oriented program (ROP) chain.

Rahul Kashyap, chief security architect, at Bromium said web browsers have always been a favourite avenue of attack, but hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.

He said that Action Script Sprays are a new technique and similar techniques will start to appear in the months to come. This is further evidence that the world of Web browser plugins presents a weak link that is just waiting for exploitation.

Web browser release cycles are compressing and the interval between the general availability of a new release and the appearance of the first security patches has been decreasing recently, he noted.

“This may represent greater efforts on the part of software manufacturers to secure their products, or it may represent products being released to market with less security testing than earlier versions received,” Kashyap said.