I recently received a question at askeset@eset.com that I think maybe of interest to more than just the author.
I read an interesting article written by Kaspersky Lab titled "Drive-by Downloads. The Web Under Siege" and have a question I was hoping you could answer. (I have included a link to the article below.) Are all "drive-by" downloads attempting to exploit vulnerabilities or can they occur through other methods?
Kaspersky Lab article link: http://www.viruslist.com/en/analysis?pubid=204792056
The short answer is yes, all drive-bys exploit vulnerabilities. I haven’t tested, but I would guess that if you lower Internet Explorer’s security mechanisms to the absolute lowest level, a drive-by could be accomplished without technically exploiting a vulnerability, but then you have made your computer quite vulnerable. Not even the “trusted sites” setting in Internet Explorer disables all safety protocols.
Many of the drive-bys are not exploiting vulnerabilities in Windows however. Often the vulnerability is in a third party application. If you are not using a current and patched version of Adobe Reader or Acrobat, it is possible to simply go to a web site that automatically loads a specially crafted PDF file that will exploit one or more vulnerabilities in Adobe Reader or Acrobat and in turn infect your computer. There are many of these attacks exploiting vulnerabilities in many third party applications. In most cases there are patches to fix the vulnerabilities, but you don’t get the patches by running Windows Update if they are third party products that have vulnerabilities.
I recommend visiting http://www.secunia.com and scanning your PC. For home users it is free.
Drive-by downloads are a serious threat, but a relatively small one if you keep your computer fully patched.
It is by design that you can go to a web page and it will prompt you to run or download a file. This is not called a drive-by as you must actively make a choice. You need to know what you are downloading or running and why.
Randy Abrams
Director of Technical Education
