Hackers increasingly aim for cross-platform vulnerabilities

A Microsoft security researcher says malware makers seek 'economies of scale'

More and more hackers are targeting the same application vulnerabilities on Macs and Windows PCs as a way to reap the financial benefits of writing cross-platform malware.

The trend involves exploiting vulnerabilities that go as far back as 2009 in Office documents. Other cross-platform, third-party technologies favored by hackers include Java, Adobe PDF and Adobe Flash, Microsoft security researcher Methusela Cebrian Ferrer said Tuesday in the company's Malware Protection Center blog.

Targeting the same vulnerabilities in applications commonly found on both platforms allows hackers to reap profits twice from the same malware, a trend Ferrer calls "economies of scale in cross-platform vulnerabilities.

[See also: Cross-platform botnet targets both Windows and Mac users].

"This method of distribution allows the attacker to maximize their capability on multiple platforms," he said.

Stephen Cobb, security evangelist for ESET, said cybercriminals have treated malware development and methods for infecting systems as a business for years. "We can expect to see further application of business logic -- such as economies of scale, division of labor and risk/reward calculations -- to developments in this space," he said in an interview via email.

Although targeted vulnerabilities may have already been patched by vendors, hackers bank on user negligence when it comes to installing software updates.

As an example, people are notoriously slow in installing Java patches to Windows PCs and Macs. As much as 60 percent of Java installations are never updated, according to security vendor Rapid7.

"All these un-updated applications on the desktop, whatever they may be, are low-hanging fruit," said Jamz Yaneza, research manager for Trend Micro. "These are the easiest things to attack."

Microsoft spotted the latest trend while investigating malware called Backdoor Olyx, which the software vendor first spotted a year ago. Subsequent variants since then demonstrated the cross-platform approach taken by malware writers.

Backdoor Olyx and its variants are typically downloaded by victims clicking on malicious links or visiting malware-distributing Web sites. The Trojans are also distributed through e-mail attachments.

Because the malware attacks known vulnerabilities, the best defense is to keep security software up-to-date and install the latest operating system and third-party security patches. "This best practice should extend to all devices and platforms, especially those in large enterprise networks," Ferrer said.

Additional options include uninstalling Java. While the platform is often necessary in servers, its importance has diminished in desktops and laptops with the use of newer Web technologies.

To make other software safer, users can run applications in the safest configuration possible, according to Wolfgang Kandek, chief technology officer for Qualys. He noted, for example, that users can turn off Javascript in Adobe Reader as one way to bolster security in that software.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline