Seven myths about zero day vulnerabilities debunked

Seven myths about zero day vulnerabilities debunked

Summary: Are zero day flaws what the bad guys are always looking for? Just how prevalent are zero day flaws within their business model? Are zero day flaws crucial for the success of targeted attacks attacks? Let's debunk seven myths about zero day flaws.

SHARE:
TOPICS: Security
42

Another month, another zero day flaw has been reported, with malicious attackers logically taking advantage of the window of opportunity, by launching malware serving attacks using it. With vendor X putting millions of users in a "stay tuned mode" for weeks, sometimes even longer, the myths and speculations surrounding the actual applicability of zero day flaws within the cybercrime ecosystem, continue increasing.

Are zero day flaws what the bad guys are always looking for? Just how prevalent are zero day flaws within their business model? Are zero day flaws crucial for the success of targeted attacks attacks?

Let's debunk seven myths about zero day flaws, using publicly obtainable data, an inside view of the cybercrime ecosystem, and, of course, common sense like the one malicious attackers seem to possess these days.

  1. Zero day flaws are the primary growth factor of the cybercrime ecosystem - Not even close. In 2010, the cybercrime ecosystem is largely driven by the millions of end uses and companies using the Internet with outdated third party applications, and plugins. With the current trends shifting from the exploitation of OS-specific flaws, to the exploitation of client-side vulnerabilities, or good old fashioned social engineering attacks, the rather myopic perspective of the end user/company towards the current threatscape, results in the success of malicious attackers in general. Then, if it's not zero day flaws that the bad guys rely on, what is it that drives their business model? The lack of security awareness internationally, resulting in good click-through rates given they systematically rotate the social engineering themes, the high number of insecure applications/plugins running on an average Internet-connected PC, as well as the current DIY or Cybercrime-as-a-Service state of the ecosystem, allowing unsophisticated attackers to have access to sophisticated attack tools, all contribute to growth of the ecosystem.
  2. Zero day vulnerabilities is what the cybercriminals are looking for all the time - If they truly were, the cybercrime ecosystem would have never matured into the efficient money machine it has become today. How come? Basically, what the bad guys suddenly realized is that, not only is there a high probability that given enough traffic is hijacked, a huge number of users would be exploitable, but also, that the time and resources they would have spend finding zero day flaws, could be invested somewhere else. This marginal thinking to some, or Keep It Simple Stupid (KISS principle) to others, is what is currently driving their business model - acting based on the harsh reality, instead of conceptualizing on how a perfect(ly) (patched) world is supposed to look like. The myth that zero day vulnerabilities is what the bad guys are after all the time, comes from the concept of the black market for zero day vulnerabilities, a market which has greatly evolved from what it was a few years ago. From OS-specific, to client-side specific, today's pragmatic nature of this market is orbiting around the exploitation of web applications. The only reason why the bad guys have shifted their interests is thanks to the realizations made in point one, namely, now that they are aware that millions of users are susceptible to outdated flaws, targeting popular web applications which would allow them to launch mass SQL injection/or application-specific attacks, consequently hijack the traffic, is what they're currently interested in.
  3. Zero day flaws are crucial for the success of targeted attacks/advanced persistent threat campaigns - Although zero day flaws appear to be cornerstone for a successful intrusion inside a high profile network, which is presumably better secured than the PC of the average Internet use, numerous cases show otherwise. Perhaps one of the most recent and widely discussed such case, is the Google-China espionage saga. Think malicious attackers, in order to anticipate malicious attackers. Why didn't they try discovering a vulnerability in Google's own browser, Chrome, which should have been the company's logical browser choice in the first place. Intelligence gathering on the fact that there's an IE6 running on a PC, for sure. However, what I'm trying to imply is that there's a high probability that the very same PC which was running Internet Explorer 6, could have also been exploited using ubiquitous flaws found in Adobe's products. How come? It's the insecure mentality, lack of enforced security auditing which would have prevented IE6 running on one of Google's hosts in the first place. As far as targeted attacks/advanced persistent threat type of campaigns are concerned, on a quarterly basis a malicious gang that's clearly interested in infecting high-value targets, redistributes a ZeuS crimeware serving campaign, using exclusively .gov and .mil themed subjects. What's so special about these campaigns in the context of zero day flaws, is that they rely on the manual interaction of the targeted user with the binary hosted on a compromised site, and not on zero day flaws. Although zero day flaws are "desirable", from my perspective they're not crucial for the success of targeted attacks.
  4. Operating system specific flaws are more widely exploited than 3rd party application/plugin flaws - Exactly the other way around. According to the SANS Institute's  2009 Top Cyber Security Risks report, application patching is much slower than operation system patching, although client-side vulnerabilities dominate the cyber threat landscape. Microsoft's own Security Intelligence Report Volume 8, also points out that based on their data, third party flaws are more widely exploited than Windows OS specific flaws. Similar conclusions can be drawn by looking at BLADE Defender's Labs real-time infection data, in particular the application targeted, and not the browser targeted. Moreover, the susceptibility of exploitation is one thing, the actual infection rate is entirely another. Case in point, Secunia's recently released report indicates that Apple had the most vulnerabilities throughout 2005-2010. And even if we exclude the obvious differences between Mac OS X's market share compared to market share of Microsoft Windows, theoretically Apple's users are supposed to under constant fire from all angles. Why aren't we seeing this trend? Pretty simple,  what the vendor/application centered, to “target them all” exploitation tactic executed by the bad guys has shown us, is the harsh reality, namely the success of their infection rates are not based on the vendor/product with the most flaws, but on the lack of patching on behalf of the end users. Basically, even if the users of a vendor with a relatively modest vulnerabilities count aren't patching, or the vendor doesn't have a well developed communication channel, these users will pop-up as successful infections. Hence, the difference between being vulnerable as vendor, and getting actively exploited thanks to your unpatched users, next to the flawed communication model with them.
  5. Once a patch for a particular flaw is available, case's closed - One of the most common myths about zero day flaws, is that, once the patch has been released, it's end of story for the vendor as it has now responsibly taken care of the vulnerability. The lack of prioritization of the second stage in the process, namely, communication next to the WGA-wall, results in the current situation, where one of the world's largest botnets, Conficker, continues adding new hosts, despite the fact that a patch has been released. The same situation can be seen with multiple vendors, whose users doesn't have a clue that they're getting themselves infected through flaws which have been patched half an year ago. This lack of second stage communication, can be best seen in Mozilla Foundation's admirable efforts to protect the end user from himself, with such initiatives such as the Plugin Check which also offers plugin checks for users of competing browsers. If only was the same socially-oriented mentality applied by high-trafficked web sites, which compared to anyone else, are in a perfect position to make an impact on a large scale, from a security awareness perspective.
  6. Full disclosure, in order to motivate a vendor to patch the flaw benefits the community and its users - Although practice has shown that this approach acts as an incentive for vendors to start prioritizing the existence of a flaw, which they have previously denied, the flawed communication model between the vendor and its users discussed in point five, undermines this myth. How come? Pretty simple. The end user who's been using the Internet with outdated 3rd party applications and browser plugins for half an year, will continue doing so, even through they will perceive themselves as "Patch Tuesday" aware. They will also continue being victim of the over-expectations put in the effectiveness of antivirus solutions, forgetting that prevention is better than the cure. This lack of DIY "software asset management" beyond the operation system, or security awareness on the existence of the most widely abused infection tactic by the bad guys, helps them efficiency infect tens of thousands of new users on a daily basis.
  7. Zero day flaws play a crucial role in the exponential growth of data breaches - According to Verizon's most recent Data Breach Investigations Report, things are in fact even more interesting than that. The report states that based on their data sample, "there wasn't a single confirmed intrusion that exploited a patchable vulnerability". So how are the bad guys compromising these networks/servers, resulting in the exposure of hundreds of thousands of sensitive records? By keeping it simple, targeting the insecurely configured web applications, using customized malware, or basically doing everything else, but emphasizing on the discovery and use of zero day vulnerabilities to achieve their goals.

In no way does this post aim to disqualify the value of a zero day vulnerability to a potential attacker, or even a cyber spy. Instead, it aims to offer an objective perspective into the fact that, the cybercrime ecosystem continues to thrive without the need for zero day flaws, and it will continue to as long as millions of end users continue getting exploited with 6+ months old flaws.

Did I forget to mention a particular myth? Do you agree, or disagree with some of the points made, and what's your perspective on the myth/speculation in question?

TalkBack.

Image courtesy of Microsoft's Security Intelligence Report Volume 8 report.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

42 comments
Log in or register to join the discussion
  • Well, shazam. What do you know?

    Microsoft has a horribly ugly zero day exploit out there, and all of a sudden, zero day exploits aren't so bad.
    frgough
    • So, care to disprove anything he actually wrote?

      @frgough
      To be honest, I expected the .LNK issue to be highly exploited. It isn't. KISS is alive and well. It is simpler to trick the user into infecting their own machines through social engineering than it is to use real vulnerabilities.

      However, if you actually can dispute anything that was written, please do so. We are all anxious to hear the well thought arguments that you have prepared.
      NonZealot
      • I think that frgough was using sarcasm.

        @NonZealot He's referring to the constant editorial attacks against Apple's security, even though exploits don't exist for their zero day vulnerabilities. But once Microsoft get's a vulnerability, Zdnet down plays it.
        ashdude
      • RE: Seven myths about zero day vulnerabilities debunked

        @NonZealot
        I think those guys who got their data stolen recently may disagree :-)
        kirovs@...
      • What ashdude said

        It's the oldest trick in the book. You see it in the press all the time. Economy is bad when your guy is president? Articles on how liberating being unemployed can be. Unemployment goes up half a percent when the guy you don't like is president? Articles on the horrors of losing your job.
        frgough
      • RE: Seven myths about zero day vulnerabilities debunked

        all i know is that when the 2000 ips per hour stop that has been ongoing since feb 2009, then ill be happy. till then, i see signs that maybe the real worm and hacker involved may actualy coming to our notice for the first time since the real worm has been exploited by microsoft and pentagon personel to hide something they dont want us to know about
        antihacker101
      • RE: Seven myths about zero day vulnerabilities debunked

        @NonZealot Thanks for sharing. i really appreciate it that you shared with us such a informative post..
        <a href="http://www.papermoz.com/assignments/">Assignment</a> <a href="http://www.papermoz.co.uk/essays/">Essays</a>
        disturbforce
      • RE: Seven myths about zero day vulnerabilities debunked

        @NonZealot I will forward this article to him. Pretty sure he will have a good read. Thanks for sharing!
        <a href="http://www.papermoz.co.uk/coursework/coursework-writing/">Coursework Writing</a> <a href="http://www.papermoz.com/admission-essay/">Admission Essay Writing</a>
        disturbforce
      • RE: Seven myths about zero day vulnerabilities debunked

        @NonZealot I'm the same way, I do my best to remain neutral. It's hard, if you communicate with the person the other person dislikes,<a href="http://www.facebook.com/internationalaccreditationorganization">iao accreditation</a> then you fall out of favor with them! I simple can't dislike a person,<a href="http://www.reviewonlineuniversity.com/universities/rochieville-university.asp">rochville university</a> just because someone else does, I just can't.
        nestdrive
      • RE: Seven myths about zero day vulnerabilities debunked

        @NonZealot The difference between the right word and the almost right word is really a large matter ??? it's the difference between <a href="http://www.schoolguidez.com/United_Kingdom/England_-_Doncaster/Doncaster/Woodfield_High_School_1769768/">woodfield high school</a> a lightning bug and the lightning.
        nestdrive
      • RE: Seven myths about zero day vulnerabilities debunked

        This part of the article is really very informative " Basically, even if the users of a vendor with a relatively modest vulnerabilities count aren???t patching, or the vendor doesn???t have a well developed communication channel, these users will pop-up as successful infections. Hence, the difference between being vulnerable as vendor, and getting actively exploited thanks to your unpatched users, next to the flawed communication model with them" I really appreciate it and would like to thank you for your efforts...

        <a href="http://www.rentalprotectionagency.com/tenant-screening.php">Screening</a>
        apollosan
      • RE: Seven myths about zero day vulnerabilities debunked

        I truly agree with this "However, what I???m trying to imply is that there???s a high probability that the very same PC which was running Internet Explorer 6, could have also been exploited using ubiquitous flaws found in Adobe???s products. How come? It???s the insecure mentality, lack of enforced security auditing which would have prevented IE6 running on one of Google???s hosts in the first place." more developments will surely be coming....

        <a href="http://www.rentalprotectionagency.com/tenant-screening.php">Tenant Background Check</a>
        apollosan
    • Turn the corner

      @frgough
      [i]It's the oldest trick in the book. You see it in the press all the time. Unemployment goes up half a percent when the guy you don't like is president? Articles on the horrors of losing your job. [/i]

      The press may be clueless, doubly so on the national media (TV "news") front, but unemployment is REAL, widespread and on the increase. So too is [u]under[/u]employment and undercutting practices by the score. The reality is, without some form of regulatory intervention (GOV) and serious "re-thinking" (CORP), all this will become permanent as opposed to cyclical as in the past.

      Industry abuses (greed, smugness, myopia) and the mad rush toward globalism are as much to blame for this as is chronic government incompetence!

      I've been beating this same drum for years now, through so called "good times" and bad - that is, from Slick Willie and his wife Hilarious, to Dubya Jr, to Obama bin Laden. They are all part of a pre-chosen, kosherized pack of puppets on both sides, dancing to the same alien master tunes. So what's my excuse?

      [Note: I'm leaving you a wide opening here so go ahead, take your best shot] ;)
      klumper
      • Fight fight fight

        @klumper
        It's funny, but society has been going to the dogs since 18th Century and we still haven't got there.
        I admire government institutions - where else would you lock such a bunch of klutzes up?
        HugoM
      • Regress regress regress

        @HugoM<br><i>It's funny, but society has been going to the dogs since 18th Century and we still haven't got there.</i><br><br>Surely we're getting closer though. Tell me you don't see the ongoing dumbing down of the masses in general, and glorification of crudeness and bad taste from even a generation back. When compared to the mores and standards of 18th century and it's "Age of Enlightenment," it's only that much worse. <br><br><i>I admire government institutions - where else would you lock such a bunch of klutzes up? </i><br><br>Well besides jails and asylums, you do have a point. ;)
        klumper
      • It goes back even farther than that...

        @klumper
        "I see no hope for the future of our people if they are dependent on frivolous youth of today, for certainly all youth are reckless beyond words... When I was young, we were taught to be discreet and respectful of elders, but the present youth are exceedingly wise [sarcasm] and impatient of restraint" - Hesiod, 8th century BC

        "The children now love luxury; they have bad manners, contempt for authority; they show disrespect for elders and love chatter in place of exercise. Children are now tyrants, not the servants of their households. They no longer rise when elders enter the room. They contradict their parents, chatter before company, gobble up dainties at the table, cross their legs, and tyrannize their teachers." - Attributed to Socrates by Plato, according to William L. Patty and Louise S. Johnson, [i]Personality and Adjustment,[/i] p. 277 (1953).

        My suggestion is listen to Dan Carlin's "History of Slavery" podcast. It won't solve the issues but it gives some weight to your argument.
        914four
    • Ahem

      @frgough

      You are of course aware that there currently is an even nastier Apple zero-day out there?

      So far it has only been used to allow for voluntarily jailbreaking, but the vuln <i>allows a complete rooting</i> of any iDevice which visits a web page. Otherwise known as a drive-by rootkit. It doesn't get any uglier than that.

      I really think you whining "mainsteeam media wha wha wha" is misplaced. There is no preferential treatment here.

      What has recently happened is that some journalists have escaped the RDF and actually started reporting the world as it is: Apple has the worst, most buggiest and most insecure software <i>out of all vendors</i> since at least 2005.

      If you (and journalists) had been paying attention you would know this already. IBMs X-Force labs have been reporting this regularly.
      honeymonster
      • Antennagate get's more press than iOS security.

        @honeymonster They posted reports of the iDevice's security issues and it didn't generate any real hits. Why? No one cares if a iPhone or iPad can be hacked. Why should they? They just want to play games or music on them.

        But if there's an issue with the iPhone's reception? Ohhh... that's going to rile some people. Just like security rants against OSX riles Mac users. Why do they get riled? Because exploits are virtually non-existent on OSX and a free rubber bumper fixes the iPhone.
        ashdude
  • RE: Seven myths about zero day vulnerabilities debunked

    What is a zero day flaw? Are you referring to vulnerabilities that are found and reported the same day? Zero day was initially used to refer to exploits. An exploit that was released with no prior notification of the vulnerability was a zero day exploit. Zero day flaw sounds more like an oxymoron. Any flaw/vulnerability information released is a zero day flaw on the day of it's release if there is no known fix for it.
    myweirdopinion
  • RE: Seven myths about zero day vulnerabilities debunked

    While Zero Day whatever you are calling it today vulnerabilities are important to take care of, it is still that haven't been patched agains something 6 months to 1 1/2 years old. Or wores, a business that uses a "mission critical" program that the vendor stopped suporting 6 years ago.

    However, the biggest problem to me is still user ignorance. Most of the problems I have to fix end up being from someone who clicked on a link in an email or downloaded that exploited pdf, or who got caught by a malicious flash adver-video.
    swattz101