2015 has so far been a very busy year for security researchers. The data leaked from Hacking Team shocked many, thanks to the multiple zero-days that were disclosed, as well as emails discussing the unscrupulous trade in exploits and “tools”.
Cybercriminals (including exploit kit authors) have been hard at work integrating these newly-discovered flaws into their “products” to victimize more people and organizations; meanwhile vendors have been racing to provide users with security updates. This is a good time to see how the threat landscape has been shaped by the vulnerabilities found so far this year.
Summary of 2015 to date
As I noted earlier this year, the risks of using OS X, iOS, Android and Flash Player increased this year. Our own research, plus the leaked data from Hacking Team, reflects this trend. By the end of July 2015, our researchers discovered and disclosed 26 vulnerabilities; eight were zero-days.
Of these, two were discovered in high-profile advanced attacks, including Operation Pawn Storm and attacks in Korea and Japan. We found two Flash zero-days (CVE-2015-0311 and CVE-2015-0313) by monitoring popular exploit kits as well as feedback from Trend Micro products. Four more zero-days were found as part of the Hacking Team data and later confirmed at least one (CVE-2015-5122) of them was quickly integrated in exploit kits. As of July, a total of 15 noteworthy zero-days were found in commonly used desktop applications by various researchers, with 8 of these found by our researchers.