HP: Zero-day term for flaws 'misleading'

An expert from HP warns that using the term lulls users into a false sense of security as vendors tend to wait to come up with patches before publicly announcing flaws.

A top security executive from Hewlett-Packard has hit out at the industry's usage of the term "zero-day" flaws, saying that it does not give users the full picture of the real risks of such threats.

Keith Millar, master technologist at HP's security strategy office, told ZDNet Asia in an interview last week: "I think it's a little misleading as it tends to imply that the threat begins on the day the vulnerability becomes public. In reality, it exists as soon as the first person discovers it."

Zero-day flaws are vulnerabilities for which no patch exists. Some of the earliest recorded incidences of such flaws date as far back as the year 2000, where members from a computer underground group discussed ways to take advantage of a serious, unreported flaw in Microsoft's Web server software.

Millar explained that when analyzing threats, the actual timeline that should be taken into account begins as soon as a hacker discovers a security vulnerability in a piece of software.

The hacker, if a malicious one, could have exploited the flaw for an entire year or "a long time" before publishing it on the Internet, or before the software vendor finds out about the vulnerability, he said.

Millar pointed out that vendors, typically, publicly announce the vulnerability only when they have a patch ready. As a result, he said, businesses may wrongly assume that they still have time to deploy the patch after it is made available, together with the announcement of the threat. They may then put off the need to include the patch in their security administration until they hear of a particular vulnerability which directly affects them.

Millar lamented: "I would hate for people to think that until vulnerability is announced, there's no risk. The reality is likely that someone [had already] exploited it a long time ago."

Getting more proactive
However, he acknowledged that software makers have their reasons for not publicly identifying vulnerabilities until they have a patch ready.

"It affects customers; they can't afford to have a vulnerability without a fix," he noted. "It would be a disservice to customers if the company were to announce the threat before they had a way to fix it."

In fact, flaw researchers often tussle with software vendors over the full disclosure of security flaws--whether or not a fix is available. Today, flaw finders are demanding that vendors be more forthcoming about what they are doing to patch the holes that researchers have reported.

So what are users to do if they cannot even afford to wait for vulnerabilities to be reported?

Millar recommended that they take mitigation action such as HP's Active Countermeasures (HPAC) services, in addition to remediation and defense techniques.

The vendor first unveiled HPAC in July, which will be made available in October. It is a host-based service that includes a tool that is implemented into a customer's network to let administrators scan IP addresses and find machines that are at risk.

Developed by HP researchers in 2003, the tool was originally designed to allow the company to solve security problems created by worms such as Blaster, Nimda, Sasser, Slammer and Zotob, said Millar. Even though HP had remediation and defense techniques, such as antivirus and intrusion detection and protection systems, in place, "a few nasty ones" still managed to get through, he said.

HP's global enterprise network supports between 350,000 and 400,000 devices at any one time. If malicious worms succeed in penetrating 4 to 5 percent of the system, that means about 20,000 devices would be made vulnerable, noted Millar.

Components that present the highest risks are unmanaged equipment belonging to contractors, or dormant systems that employees have at home and use to access the corporate network, he said. With HPAC mitigation services, security administrators can find every system that is still vulnerable and take action to make it safe from attacks.

In a basic scenario, mobile computers that employees take home and bring back into the enterprise network may be quarantined until they have been upgraded with the appropriate set of patches.

"Even if we can't fix something fast enough, we still need to take care of it," said Millar.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All