mailing list archives
Less than zero: Zero-day vulnerabilities
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 3 Mar 2014 18:52:34 -0700
For information security professionals, zero is much more than nothing.
Zero-day vulnerabilities - those holes in software that are not generally
known nor protected against - are indeed a growing concern for
organizations as criminals get increasingly savvy about how to use these
liabilities to their favor. In the end, experts say, it is becoming a race
between how fast software makers and researchers can uncover these holes -
which most commonly target Microsoft, Adobe and Java software - and
distribute a patch or update, and how quickly the bad guys will get there.
Exploits that target zero-day vulnerabilities, by most accounts, are not
all that common. Craig Williams, technical leader for the Cisco Threat
Research, Analysis and Communications (TRAC) Outreach team, says his group
regularly sees zero-day exploits "but it is far from a daily event," adding
that normally he would see one or two per month. "Companies are getting
better at reducing the number of vulnerabilities that ship in their code,"
he says. "Things like development lifecycles that put emphasis on security
and require security-focused testing help reduce the number of bugs."
Additionally, companies are investing in exploit-mitigation technologies -
like memory protections sandboxes or Microsoft's Enhanced Mitigation
Experience Toolkit, which Williams says can make it "much more challenging
for vulnerabilities to result in useful code execution."
Nonetheless, when they do hit, zero-day exploits can be more damaging than
most because they strike where no one is looking and can remain undetected
owing to the fact that much current security software seeks out malicious
code based on known signatures.
"Zero days are incredibly valuable to the attackers...they don't want people
to know it exists, and [the length of time] between detection and
disclosure can vary," says Mark Elliott, founder and executive vice
president of Quarri Technologies.
Or, in the words of Allen Harper, chief hacker and executive vice president
of Tangible: "We have a blind spot growing in the security field and that's
Alex Cox, principal security researcher for RSA FirstWatch, says zero-day
exploits targeting Java in particular "tend to be the most damaging as many
enterprises don't have a solid patching process for it, and vulnerabilities
tend to be exploitable for a longer period of time between patch cycles."
But, other experts point out that while the threat certainly hovers, actual
damage has of yet been minimal. "The continued string of high-profile
compromises, to Adobe source code in particular, has the potential to cause
an explosion of zero-days, but we haven't really seen that yet," says Cox.
"The potential is there, just unrealized as of yet. I'd say that the use of
zero-days has increased along the same lines as the threat. That is, as the
bad guys' sophistication has increased, so has their ability to use
zero-days in their attacks."
In fact, says Williams, the growth rate of zero-day threats is set by the
number of people attempting to exploit users of the internet. "We're seeing
a much more targeted use of zero-day threats these days," he says.
Michael Sutton, vice president of security research for Zscaler, says the
landscape for zero-day vulnerabilities has evolved significantly in recent
years as software makers, Microsoft in particular, have gotten increasingly
better about putting out patches, and organizations have become more adept
at shortening the patch cycle. Instead, it's no longer the "low-hanging
fruit" of simple vulnerabilities, Sutton says. "It's not getting worse so
much in terms of sheer volume, it's the severity of the threats and the
length of time they are taking to come to the surface to get to where a
vendor can address them," Sutton says.
In the meantime, there is a lot of money to be made in zero-day
vulnerabilities, by the criminal underground and nation-states alike.
Anup Ghosh, CEO and founder of Invincea, believes the problem will get
bigger come April, when support for Windows XP ends, and new
vulnerabilities may keep cropping up without getting fixed. "We're about to
enter a period where zero-days will be very common on Windows XP machines,
with no patches available," Ghosh says. Jeff Davis, vice president for
engineering at Quarri, agrees that this causes a problem, especially since
30 percent of PCs are estimated to run the Windows XP operating system.
With more and trickier zero-day exploits on the horizon, what can
organizations do to streamline the process so that they can account for
these vulnerabilities, find them and protect against them?
"You can't patch what you don't know about," Sutton points out, adding that
all organizations need to start with a well-oiled patch management process
which monitors public sources, as well as commercial feeds, for reports of
potential zero-day vulnerabilities. Monitoring, he says, also must take
into account the fact that employees are bringing new computing asset into
the corporate environment - creating a need to update patching on new
Stefan Frei, research vice president for NSS Labs, points up that not all
exploits do affect the latest versions of a program or an operating system.
Having the latest versions installed and kept up-to-date is effective in
preventing known exploits and zero-days that affect older versions - for
example, a zero-day for IE 7 which is ineffective against IE 10, he says.
Further, the latest versions of operating systems typically deploy exploit
mitigation techniques to protect the OS and programs running from
exploitation, which at least make it much harder to successfully exploit
the box. To benefit from these protection features, he recommends upgrading
XP boxes or older operating systems.
"If you are a high-value target, assume you are compromised by zero-days,
unpatched programs or internal attackers," Frei says. "As 100 percent
protection is an illusion, be prepared to detect a breach early and have a
process to handle it. Many protection suites promote 'ahead of the threat'
protection, but often fail to even block long-known exploits in our tests."
Likewise, Cox points out that historically the mitigation process in most
enterprises has revolved around how widespread the attack is. "The idea
being that you are relatively safe during the early stages of a zero-day
attack and can delay your strategies until attacks are widespread. I've
long been a proponent of immediate mitigation in these cases, as the
enterprise is most vulnerable during the targeted attack phase." He adds
that once the attack has gone widespread, security vendors have likely
caught up and commodity security technologies can detect the threat.
Williams believes the best way to mitigate zero-day events is
defense-in-depth. "The trouble with these is that the attackers can be
committed to avoiding detection - this is why they are using a zero-day in
the first place," he says. "By using multiple security devices with
different detection engines one can maximize coverage. Additionally,
opting-in to telemetry systems can help vendors enhance coverage."
Ultimately, says Sutton, it's always going to be an arms race and the bad
guys will always have the advantage. "They only need to find one chink in
the armor." He recommends that companies also look to security solutions
that rely on behavioral analysis and sandboxing. "Treat everything as
untrusted," he says.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- Less than zero: Zero-day vulnerabilities Audrey McNeil (Mar 05)