13 Jan, 2020

Understanding the Risk of Zero-Day Exploits

A zero-day exploit takes advantage of a vulnerability that has just been discovered. A few such vulnerabilities are deadly weaknesses, but others just make the attacker's job easier.
The phrase "zero-day exploit" sends a chill down an administrator's spine. Defending against one is hard, but it doesn't mean system managers are helpless. A good security setup will withstand many of them and reduce the impact of the ones it can't stop.

A zero-day exploit takes advantage of a vulnerability that has just been discovered. The software publisher may know about it, but it doesn't have a patch yet. Sometimes malicious actors learn about the vulnerability first and develop a way to attack it before the software developers know there's a problem. Sometimes independent security researchers discover and report it first.

A zero-day vulnerability may be known before it's exploited. In the best case, the developers find and fix it before anyone else is aware of it. Sometimes proof of concept is revealed to the public but no exploits immediately appear "in the wild." Simply knowing of its existence doesn't always mean exploiting a vulnerability is easy.

The term "zero-day" can be taken to mean that attacks start on day zero of the vulnerability's discovery, or that the developers have zero days to fix it. It takes some time to fix any bug, no matter how urgently a patch is needed.

The target isn't necessarily helpless. System protection can prevent an exploit from doing harm. A few such vulnerabilities are deadly weaknesses, but others just make the attacker's job easier. Some have no impact on a particular installation. Nonetheless, administrators need to look at all announced vulnerabilities and determine what they need to do.
What a Zero-Day Exploit Does
A vulnerability generally can be exploited in a variety of ways. You don't know what form the attack will take until it happens. There can be multiple exploits of a single vulnerability. These are some of the possibilities:

  • Installation of malware to acquire or alter important data or to launch attacks on other sites.
  • Installation of malware to acquire or alter important data or to launch attacks on other sites.
  • Acquiring administrator-level privileges in a compromised user account or without logging in.
  • Alteration of a website, redirecting visitors to another location or adding malicious content.
  • Disabling services or shutting down entire systems.
  • Installation of a backdoor to allow any of these attacks later on.

Some exploits rely on human error. They may do damage only if someone uses a relatively weak password, visits a page with hostile JavaScript, or opens a phishing attachment. An exploit may be dangerous only if a combination of factors fall into place.
The Prevalence of Zero-Day Exploits
While not every vulnerability is serious, the sheer number of them is huge, and some of them are very dangerous. Looking back on 2019, the CVE (common vulnerabilities and exposures) site reports:

Major vulnerabilities that are quickly exploited result in widespread damage. Some of the biggest exploits come from governmental or government-supported actors.
The 2017 WannaCry ransomware attack was a highly publicized example. It used a vulnerability that had previously been known only to the National Security Agency, along with a tool stolen from the NSA to exploit it. The vulnerability, found in older versions of Windows, allowed the misuse of the server message block (SMB) protocol to penetrate systems, install malware, and spread to other systems.

Microsoft released patches just a day after the first attacks, but many systems weren't updated right away, if at all. About 200,000 computers were affected by WannaCry.
The Window of Vulnerability
Microsoft's response to WannaCry was unusually fast. It usually takes several days or more from the first report of an exploit to the availability of a patch. The window of vulnerability till the patch is installed can be even longer, depending on an organization's practices.

Fixing a vulnerability requires identifying the bug that caused it, writing a fix, testing it, and publishing a release. Too much haste can cause worse problems. A poorly written patch could introduce other bugs, cause compatibility problems, or not fully solve the problem.

Once a patch is issued, system managers have to install it. It may be necessary to restart the affected service or the entire machine, so it has to be scheduled to avoid unnecessary disruption. It should be installed in a way that allows rolling back, in case the patch causes problems.

Organizations with older software versions are especially at risk. The old versions are less well-supported or no longer get any updates. If an organization has just a few legacy machines, it may forget to check for patches.
Even after a fix is installed, an exploit might have done undetected damage. It's necessary to run system scans to make sure there aren't any signs of persistent intrusion.
Protection Against Zero-Day Exploits
The smaller the window of vulnerability, the smaller the chances are that a zero-day exploit will damage a network's systems. Checking for patches on a regular basis, preferably daily, will minimize the chance that attacks will get through. If system managers do this on a regular basis, they don't have to wait for an exploit to hit the news.

Scanning for vulnerabilities will make sure no patches are overlooked. If a known vulnerability exists, the chances are good that a fix for it is available.

Patching isn't the only defense, though. A well-protected network is safe against a broad range of unknown threats as well as known ones. Internal and external malware monitoring will detect attacks that have gotten through, allowing prompt removal. External monitoring of a website detects threats such as malicious JavaScript, altered pages, and unexpected redirects. Internal monitoring spots altered files, outgoing spam, and attempts to communicate with command-and-control servers.

Employee education is important. Many exploits depend on getting users to visit websites or open attachments that are tailored to the vulnerability. If employees recognize and discard phishing messages, the exploit might find no opportunity to cause trouble.

A Web application firewall (WAF) blocks suspicious traffic, keeping exploits from reaching their targets. Quttera's WAF uses behavior-based analysis, so it isn't limited to detecting known threats. It is constantly updated to be prepared for many kinds of hostile packets. The WAF is part of Quttera's comprehensive ThreatSign website protection. Sign up for ThreatSign to keep your site safe from the ever-growing array of online dangers.