First it was VML, then PowerPoint, and then setSlice -- multiple zero-day exploits in a row. And it wasn't just Microsoft. McAfee this week patched a buffer overflow vulnerability in its ePolicy Orchestrator and ProtectionPilot software after researchers posted the exploit code over the weekend.
Why this zero-day blitz? (See Phishers Launch Zero-Day Exploits.)
"I think more people are making the decision not to work with the vendors" on disclosing vulnerabilities, says Steve Manzuik, research manager for eEye Digital Security. Or they just don't care, he says.
Mozilla's Firefox was temporarily on the list of new zero-days this week until one of the hackers from ToorCon who claimed he found a zero-day exploit in Firefox backed down. Turns out all their attack may do is crash Firefox, not take over the machine.
Meanwhile, security experts say the rash of zero-days is not a concerted attack strategy, but more the planets aligning. "Starting earlier this year, we saw client-side attacks hit hard and fast," says Jose Nazario, software and security engineer for Arbor Networks. Nazario says HD Moore's Month of Browser Bugs' (MOBB) 31 browser bugs helped fuel some of the latest zero-day attacks. (See Getting Buggy with the MOBB.)
Moore says he didn't actually discover the recent VML, ePolicy, and setSlice bugs, but he did give the exploits a little help. "Mostly I just helped with exploit development more than the actual discovery." He wrote an evasion version of the VML exploit, a working exploit for setSlice, and ported a friend's exploit code for McAfee's ePolicy Orchestrator to the Metasploit penetration tool, he says.
This may have spawned some of the attacks, security experts say, but the real problem is in the criminal mind of today's attackers. "One thing that's fairly consistent is the underground economy is jumping on zero-days as a means to infect more people with adware or crimeware," says Dan Hubbard, head of Websense Security Labs. "Now they set up sophisticated networks that are like a Web hub-and-spoke: They put links within thousands of sites that go back to the main hub sites, which have different exploit code."
And once the attackers have gathered their data, they then try to cash it in, he says. That may be one reason for the spike in zero-days lately. "Attackers were busy collecting all this data, and now they're trying to monetize it."
There are plenty more out there that haven't come to light yet, either. Randy Abrams, director of technical education for Eset, says attackers won't tip their hand all at once. "They are waiting until Patch Tuesday so they can have the longest amount of time to use the new techniques before Microsoft patches them," Abrams says. "So we're seeing bad guys with a lot of these vulnerabilities up their sleeves, but only showing their cards one at a time."
And hacker tools like WebAttacker are making it easier for non-technical bad guys to run exploits, too. Websense says 15 percent of all Websites hosting crimeware are using these types of hacker toolkits. "They don't have to be a black-hat Assembler programmer to run these tools," Hubbard says.
The two main types of zero-day attacks today are from Internet Explorer, which can also affect Outlook and Outlook Express; and Office file-format bugs.
The good news is there really hasn't been an increase in the number of exploit-writers, Arbor's Nazario says. "This is gathering momentum, but there are not a whole lot of people involved in writing these exploits," he says. "There hasn't been an explosion in the number of authors, so [zero-day increases] are constrained by that."
Nazario says Arbor can tell by reading exploit code and studying the methods used by the attacker to estimate how many of these exploit-writers really exist. They typically show patterns of recycling code, or using specific methods, he says.
And luckily, these zero-day attacks are nowhere near the scale of infamous worm attacks like SQL Slammer and Nimda, so there's no cause for panic. Still, the VML exploit has the potential to do some widespread damage, Nazario says. It had infected about a million hosts within a couple of weeks after the exploit code went public, he says. "And it's growing -- not nearly as fast as a worm or malware, but at reasonable enough rate that we do get concerned."
Kelly Jackson Higgins, Senior Editor, Dark Reading