From http://www.prevx.com/blog/107/Fiesta---Monitoring-ITW-exploit.html

-{ Quote: "
Mike over at the research lab gave me a link to a Fiesta exploit pack he found running. Fiesta is an exploit pack sold for around $850 on the black market and contains around 25 different exploits. It contains many exploits however the exploit that is most effective in this pack is the Adobe PDF exploit.

The exploit pack is used to provide “loads”. This is slang for malware distribution. What will happen in practice is, webmasters of high traffic sites (mainly porn etc) send traffic to a certain page on another server, example: (www.blah123.com/infect/index.php) This might be done in an Iframe. The victims browser will then iterate through a series of exploits, to see if they are vulnerable to any of them.
" }-
The overall infection rate for this exploit pack was 3137/26076, or about 12%. The data also gives breakdowns by browser used. Be careful about making comparisons though, because this will vary by the exploits used in a given exploit pack, and also because of correlations that affect security. For example, those who use IE6 may have different security habits and configurations than those who use IE7.

Thanks MrBrian. From the list of exploits it looks like FF wasn't targeted therefore is this why it appears to have done so well? I admit I don't know what some of the exploits are. But then again, isn't the PDF exploit universal?

You're welcome :)

Yes, I believe the reason is that Firefox wasn't targeted by this particular exploit pack, and also wasn't vulnerable to the PDF exploit(s) included, for whatever reason.

-{ Quote: "Yes, I believe the reason is that Firefox wasn't targeted by this particular exploit pack, and also wasn't vulnerable to the PDF exploit(s) included, for whatever reason." }-
Thanks! It's also kinda interesting to see how many folks still run older browser versions.

-{ Quote: "Thanks! It's also kinda interesting to see how many folks still run older browser versions." }-

At least in Poland and Russia...

It was also interesting to see that those on XP SP1 had an infection rate well below XP SP2, and that Vista had a low infection rate.

-{ Quote: "It was also interesting to see that those on XP SP1 had an infection rate well below XP SP2, and that Vista had a low infection rate." }-
I missed that part.

Yikes! Windows 2003 got hammered at 47.3%.

Barring aside this exploit pack which was made with obvious intention to make IE8 and others look bad, there are exploits out there for FF which are yet to be patched and this article here sheds some light on the safety issue with FF in general. http://www.networkworld.com/news/2009/030909-mozilla-patches-fastest.html

-{ Quote: "Barring aside this exploit pack which was made with obvious intention to make IE8 and others look bad" }-
Well, they were kind enough to provide percentage breakdowns by OS and browser version, and it appears that IE only looks bad when you're using old IE versions on old XP, with 90% of the infections attributed to IE6.

It's also interesting to note how they define "infection". The best I could find was: " The victims browser will then iterate through a series of exploits, to see if they are vulnerable to any of them," which isn't very helpful.

While it may be possible to get your exploit code running in the memory space of the browser process, to call just that as an "infection" is questionable at best. Chrome and IE7 / IE8, for example, have additional safeguards (sandboxing, Protected Mode) that can block payloads even if the exploit code gets successfully installed and running.

-{ Quote: "Well, they were kind enough to provide percentage breakdowns by OS and browser version, and it appears that IE only looks bad when you're using old IE versions on old XP, with 90% of the infections attributed to IE6." }-


I feel if one keeps using old unpatched browser or OS, no matter what their origin, they deserve to get infected. Even running older unpatched Linux kernel would get you into heaps of trouble. Same goes for running older FF or Opera versions. IE8 and Chrome have set a good precedence by incorporating protected mode, something other brosers should emulate and learn from.

-{ Quote: "Barring aside this exploit pack which was made with obvious intention to make IE8 and others look bad, there are exploits out there for FF which are yet to be patched and this article here sheds some light on the safety issue with FF in general. http://www.networkworld.com/news/2009/030909-mozilla-patches-fastest.html" }-

This page (http://thompson.blog.avg.com/2009/02/firefox-el-fiesta-mystery-solved-well-partly-but-its-a-start.html) shows a different version of the exploit pack that has managed to achieve "loads" via Firefox. I wonder if the labels for SP1 and SP2 are transposed, because SP1 shows a much greater number of visits than SP2, which doesn't seem likely.

A page (http://novirusthanks.org/blog/2008/12/new-lefiesta-exploit-kit-in-the-wild/) with different stats