Zero day is now

Ben Nagy

Zero day vulnerabilities are those for which a vendor patch or fix is not yet available.
Zero day vulnerabilities provide a back-door into any operating system or application and represent a serious threat to your organization. Zero days are reality today. Ten serious zero day Windows vulnerabilities were made public in late 2004 alone — and extensively exploited by malicious hackers.
Furthermore, the ethical issues around the handling and disclosure of vulnerability information have caused some controversy.
However, while zero day vulnerabilities are a reality and the threat imminent, technology available today can help prevent attacks.

In late 2004, eEye Digital Security’s research team analysed the impact of ten major vulnerabilities released ‘zero day’. The IE IFRAME vulnerability, the LoadImage API and the WINS bug were heavily exploited in targeted attacks and automatically spreading malware, weeks or months before a patch became available from Microsoft.

For example, the zero day IFRAME vulnerability was exploited by the Download.Ject Trojan and the Bofra worm — both suspected to be linked to organised crime. Undetectable by IDS systems, and without the ‘noise’ of worms, more covert zero day vulnerabilities are in regular use by malicious hackers. Organizations are frequently not aware that they have been compromised.

Unsupported platforms including Windows NT 4.0 are increasingly vulnerable to attack. In March 2005 Microsoft disclosed and released a patch designed to fix a severe Windows vulnerability discovered by eEye in February. However, rather than publicly announcing the vulnerability, the patch was only made available to those enterprises on paid-for, costly support, leaving organizations currently unable to migrate away from NT 4.0 in an urgent search for protection.

Zero days are a potent weapon

in the hands of malicious hackers, ensuring a constant high demand in the ‘black hat’ hacking community. The supply in part is determined by the process applied when vulnerabilities are discovered and disclosed.

Full vulnerability disclosure – friend or foe?

The vulnerability research industry has more or less converged on what is known as ‘responsible disclosure’. This approach ensures that vulnerability information is not publicly disclosed until the vendor has released a patch – upon which full technical details would be provided.

Withholding this detailed technical information hinders end-users from being able to accurately assess their exposure to the vulnerability disclosed.

However, Microsoft’s Global Head of Product Security, George Stathakopoulos, recently argued: “I would like to see the industry self-regulating and delaying the release of Proof of Concept exploit code (POC) for at least 90 days”, supporting some vendor’s views that disclosing less technical detail would mean a delay until Proof of Concept (POC) code is released, resulting in a corresponding delay before the release of malicious attacks, worms and other malware.

This argument is flawed, as hackers with the ability to create malicious code have the skills required to reverse engineer patches and expose vulnerabilities. Partial disclosure will not prevent zero day attacks. Exploit code will always pass from those who know how to write it to those who want it. Full, public disclosure is the only way to avoid secret clubs trafficking zero day exploits to the highest bidder.

What you can do to protect against zero days

In the wake of a serious vulnerability your organization will not be able to patch fast enough to be safe – if a patch is even available. The only viable approach is to invest in technology and architectures that can mitigate or prevent zero day attacks. However, technology available today can prevent known and unknown attacks, whether at a network layer or on a host basis. Network based approaches can prevent initial infections, but as soon as one attack gets through the worm can spread unchecked. While network technologies like Intrusion Prevention Systems (IPS) are valuable, only non-signature based, endpoint security can offer any real promise of preventing the infection and spread of a zero day worm.

A more proactive approach to your security strategy is required if your goal is to reduce your overall risk posture, maintain business continuity and comply with legislation – and technology equipped to deal with zero days.

Can you afford to wait for the next zero day before you take action?

Ben Nagy is a senior security engineer at EEye.