![Page 1: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/1.jpg)
#RSAC
SESSION ID:
Tim Rains Matt Miller
Exploitation Trends: From Potential Risk to Actual Risk
BR-T07
Principal Security Software Engineer
Microsoft Security Response Center
Microsoft
Chief Security Advisor
WW Cybersecurity & Data Protection
Microsoft
David Weston Principal Program Manager
Operating Systems Group
Microsoft
![Page 2: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/2.jpg)
#RSAC
Vulnerability trends
![Page 3: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/3.jpg)
#RSAC
Industry-wide vulnerability disclosures
3
![Page 4: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/4.jpg)
#RSAC
Industry-wide vulnerability disclosures
![Page 5: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/5.jpg)
#RSAC
Microsoft software exploitation study
![Page 6: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/6.jpg)
#RSAC Microsoft remote code execution CVEs, by year
![Page 7: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/7.jpg)
#RSAC Microsoft RCE CVEs, by timing of first known exploit
![Page 8: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/8.jpg)
#RSAC Parties responsible for known exploits, Jan. 2012–Mar 2015
![Page 9: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/9.jpg)
#RSAC Microsoft RCE exploitation root causes, by year
Uninitialized use
![Page 10: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/10.jpg)
#RSAC
Exploit techniques, Jan. 2012–Mar. 2015
![Page 11: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/11.jpg)
#RSAC
Exploit trends
![Page 12: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/12.jpg)
#RSAC
Exploit Targets are Shifting
Flash Attack Trend Based on IEV Data % of Flash user’s that are out-of-date Win 8.1 Win 8 Win 7 SP1 Win 7 SP0
Total Out-of-Date 1.85% 7.53% 20.98% 23.27%
Exploit In-the-Wild Percentage of Users Vulnerable
CVE-2014-9163 Yes 20.98%
CVE-2014-8440 Yes 16.00%
CVE-2014-8439 Yes 16.96%
CVE-2014-0569 Yes 15.32%
CVE-2014-0556 Yes 13.96%
CVE-2014-0515 Yes 11.82%
CVE-2014-0506 Yes 11.56%
CVE-2014-0502 Yes 10.83%
CVE-2014-0497 Yes 10.53%
CVE-2013-5332 Yes 9.70%
CVE-2013-5331 Yes 9.70%
![Page 13: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/13.jpg)
#RSAC
Time-to-Exploit-Kit is Decreasing
1/1/2014 3/1/20152/1/2014 3/1/2014 4/1/2014 5/1/2014 6/1/2014 7/1/2014 8/1/2014 9/1/2014 10/1/2014 11/1/2014 12/1/2014 1/1/2015 2/1/2015
2/2/2015
CVE-2015-0313
1/20/2015
CVE-2015-0311
1/16/2015
CVE-2015-0310
3/20/2015
CVE-2014-0336
11/11/2014
CVE-2014-8440
10/14/2014
CVE-2014-0569
9/9/2014
CVE-2014-0556
Exploited by Exploit Kit within 10 days of patch
Exploited by Exploit Kit as 0day
Exploited by Exploit Kit within 30 days of patch
2/19/2014
CVE-2014-0322
2/4/2014
CVE-2014-0497
4/28/2014
CVE-2014-0515
11/11/2014
CVE-2014-63325/17/2014
CVE-2014-1776
![Page 14: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/14.jpg)
#RSAC
Exploit Impact Remains Large
Image Credit: Spiderlabs
0
200000
400000
600000
8000001
2/2
2/2
01
4
12
/28
/20
14
12
/31
/20
14
1/2
/20
15
1/4
/20
15
1/6
/20
15
1/9
/20
15
1/1
1/2
01
5
1/1
3/2
01
5
1/1
5/2
01
5
1/2
0/2
01
5
1/2
2/2
01
5
1/2
7/2
01
5
1/2
9/2
01
5
2/2
/20
15
“HanJuan” Attack Traffic Volume
Total
![Page 15: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/15.jpg)
#RSAC
IE Mitigations Impact new Exploits
1/1/2014 2/19/20152/1/2014 3/1/2014 4/1/2014 5/1/2014 6/1/2014 7/1/2014 8/1/2014 9/1/2014 10/1/2014 11/1/2014 12/1/2014 1/1/2015 2/1/2015
5/1/2014 - 5/13/2014
CVE-2014-1815
4/23/2014 - 5/1/2014
CVE-2014-1776
2/12/2014 - 3/11/2014
CVE-2014-0322 2/19/2014 - 3/11/2014
CVE-2014-0324 6/8/2014
Use-After-Free hardening v1
7/6/2014
Use-After-Free hardening v2
8/3/2014
Out-of-Date Java Blocking
11/7/2014
CFG Windows 8.1 Shipped (Optional Update)
2/11/2015
CFG for Windows 8.1 Shipped (Default)
0day exploit in Internet Explorer
New Internet Explorer Security Feature
![Page 16: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/16.jpg)
#RSAC
Use the newest
versions of
applications
Assess your risk based
on exploit trends
Get current on
security updates
Apply What You Have Learned Today
Next week you should: In the first three months you should:
Within six months you should:
![Page 17: SESSION ID: BR-T07 Exploitation Trends: From Potential Risk to Actual Risk · #RSAC SESSION ID: Tim Rains Matt Miller Exploitation Trends: From Potential Risk to Actual Risk BR-T07](https://reader031.vdocuments.mx/reader031/viewer/2022030617/5ae2c7eb7f8b9ad47c8d76b0/html5/thumbnails/17.jpg)
#RSAC
Resources
Microsoft Security Intelligence Report:
http://microsoft.com/sir
Microsoft Cyber Trust blog:
http://blogs.microsoft.com/cybertrust/category/
cybersecurity/
Twitter: @MSFTSecurity
17