0 day… 0 problem?

Zero-day attacks generate a lot of coverage and consequently occupy the security thinking of many Information Security professionals when planning or implementing effective security strategy. The common perception is that the pursuit and implementation of zero-day exploits is a driving force in the world of cybercrime and that zero-day attacks facilitate more successful cybercrime. Is that really the case though? Let’s consider some evidence. If we look at the figures for the total number of vulnerabilities recorded every half year since the second half of 2006, then there is definitely a downward trend, from somewhere in excess of 3500 to around 2500 in the first half of 2010, so that’s good news. There has been increased focus on secure coding and secure application and operating system development in recent years and this can only have contributed to this improvement. Microsoft’s own Security Intelligence Report shows the same trend in the level of application vulnerabilities. It also shows that for the first time browser vulnerabilities outpace operating system vulnerabilities (although it must be said the level of both is very low when compared to application vulnerabilities). Alongside this drop in total vulnerabilities, vendor patch cycles have also shortened which on the face of it is all good news, so why is vulnerability patching still so troublesome? Data from Secunia offers one explanation, showing that “A typical end-user can patch 35 per cent of the vulnerabilities with one update mechanism (Microsoft’s), but needs to master another 13 or more different update mechanisms to patch the remaining 65 per cent of third-party program vulnerabilities.” Another factor to take into consideration is the huge increase in “weaponisation” capabilities by criminals. In 2005 it took an average of seven days before exploit were reverse engineered from vulnerability announcements or patch releases. In 2010 that time from patch to exploit can be counted in hours. New exploits are added to both commercial and criminal attack toolkits almost as soon as the vulnerability is public knowledge, most often way before any enterprise can hope to have the patches rolled out (not to mention consumers). If we balance the number of total vulnerabilities against the number of true zero-day vulnerabilities it’s easy to see where the greatest threat to business and individuals lies. In 2008 there were nine zero-days and in 2009 a further 12, so far in 2010 there have been 10 by my count. Compare that to the thousands of vulnerabilities recorded and it is easy to see where criminals will get the greatest bang for the buck. The reality is that criminals focus far more acutely on social engineering techniques using emails, or mass website compromises and social networks as the initial infection trigger. Widespread homogenous insecure application environments offer rich pickings to criminals. The monoculture afforded by widespread deployment of Acrobat Readerand Flash for example have led to them being the two most often abused applications in terms of vulnerability exploitation. The overall scale of the threat posed by vulnerabilities and exploits is clearly visible when looking at the number of TROJ_PIDIEF malware seen by Trend Micro in the first half of the year. The PIDIEF malware family is specifically made up of malware that arrives as PDF files, which exploit vulnerabilities in the Acrobat family of products. In the first half of the year, a total of 666 new detection names were added to Trend Micro products. Each detection name represents multiple in-the-wild variants, resulting in a total number of new PDF threats numbering into the thousands – in only six months. Mitigation against zero-day vulnerabilities is still important, zero-day planning still has a place on the Information Security professional’s agenda, but enterprises and individuals would benefit far more from an effective mechanism to shield regular vulnerabilities from exploitation until such time as the patch can be rolled out. Zero-day attacks have proven effective in some high profile targeted attacks such as Stuxnet and Aurora, but in all honesty when there’s so much low hanging fruit, the criminals have no need to run around searching for ladders.