Zero-day vulnerabilities are something we all hear about
often, and it’s usually related to enterprise grade software. Internet Explorer
(Microsoft) and Java (Oracle) are two familiar names recently
dominating IT security news headlines, and that’s all thanks to major
vulnerabilities allowing attackers to obtain remote access to the end users’
machine. Before you decide to hide all your money under the mattress, let’s
take a look at what this all means.
A zero-day attack means the attack is taking place “day zero”
of awareness of the vulnerability, limiting the ability for developers to patch
or address the security backdoor before end users are affected. Zero-day
exploits are considered to be a golden nugget in terms of value and are often
illegally sold on the black market for large amounts of money, while organizations
such as ZDi (http://www.zerodayinitiative.com/)
provide financial incentives for security researches to legally disclose newly
discovered vulnerabilities. The US government paid $250,000 for an iOS exploit
in 2012 and offer rewards of up to $200,000 for submitting Internet Explorer or
Google Chrome vulnerabilities.
Electronic warfare is the 21st century’s means of
crippling adversaries, and government agencies are willing to take any measure
to ensure top secret information systems are never compromised. Developed
software is often subject to rigorous penetration testing, so you could imagine
it’s not easy to discover dangerous exploits. More than 60% of exploits are
discovered accidentally, and to put things into perspective; we’ve all faced the
blue screen of death on a windows system and it’s a relatively harmless error
message, and often it’s accompanied with a reason.
Now imagine the exact same scenario was to occur for an
internet based application; that would mean under a certain predictable
condition the software fails, and based on how software is designed – if the application
fails, everything hangs in the balance while the application is reset or
closed, and It’s in this small window of time the application or system is open
to an attack. The ability to take control of a system remotely is the goal,
ultimately leading to the stealing of confidential information or inserting
malware; the possibilities are vast.
Newly discovered zero-day exploits can be hidden from the
public for months, dormant or active. It was discovered that a zero-day exploit
had been used for at least 1 month to steal personal information and files from
visitors to an aviation website. The intention was to steal confidential government
files from employees of the air force, by compromising a non-government
aviation website. This tells me that attacks are becoming more sophisticated
and hacking groups are well structured.
The most recent exploit discovered in Java Software,
presented a particularly sensitive issue. Despite our preference of browsers,
almost everyone has to use Java to access content rich websites. The exploit
allows a remote attacker to execute arbitrary code on the victim’s machine,
allowing the attacker access to the data on the machine, turning the machine
into a zombie feeding a botnet. Basically the machine is completely under the
control of the remote attacker, often used to attack other unsuspecting
victims. The discoverer of the exploit had originally posted on a cyber-crime forum
with the promise of: “weaponized and source code version of the exploit”
starting at $5,000 each. By weaponizing the exploit, basically means it provides
the attacker an interface and means to perform the attack, just like buying a
gun for the bullets.
It’s not possible to completely safe guard your business
from a zero-day attack, however updating software to latest vendor
specification and ensuring IT security programs are up-to-date and enforced across
all employees can help reduce the number of affected end users.
