Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/17/2010
12:15 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

How Many (Sub) Zero-Day Attacks?

We now know that one of the vectors used in the series of attacks against U.S. businesses was a zero-day vulnerability in Internet Explorer. Apparently, the way most of the world learned of this particular flaw was when it was actually used in these attacks. That's some powerful form of "disclosure," but how common is it?

We now know that one of the vectors used in the series of attacks against U.S. businesses was a zero-day vulnerability in Internet Explorer. Apparently, the way most of the world learned of this particular flaw was when it was actually used in these attacks. That's some powerful form of "disclosure," but how common is it?We will probably never know unless software vendors start publicly disclosing how they learn of their software security flaws. A security flaw, such as that used in the attack against Google, can be uncovered several ways:

- The software vendor can uncover the vulnerability itself through a code review. They'll (hopefully) fix it, and provide a patch to customers. Other than finding the flaw during development, this is one of the best ways these things are found.

- A security researcher (customer, or someone) will find the flaw and report it to the software vendor, who will then (hopefully) provide a patch at the time the flaw is disclosed to customers.

- A security researcher finds the flaw, and announces the flaw to the world on a security mailing list, or blog post. Sometimes they'll publish exploit code at the same time, sometimes not. This is generally a bad way for the rest of the world to learn of the flaw, as software vendors have to scramble to develop the patch and everyone who uses the software is at risk of being attacked in the meantime.

- That brings us to the worst ways such vulnerabilities are found, at least for the general computing and Internet community. The software security hole is found by a black hat, cyber-criminal, or state-sponsored researcher. The flaw could be sold on the black market to other criminals to be used in their attacks. Or, in the case of state-sponsored attackers and organized crime, the flaw could be tucked away for later use in their attack arsenal.

We will usually only learn of the last category when it's used in an attack that is made public, such as Aurora. That's, presumably, how Microsoft first learned of the flaws in its security advisory 979352, when it said that it is "investigating reports of limited, targeted attacks against customers of Internet Explorer 6, using a vulnerability in Internet Explorer."

In its acknowledgments section, Microsoft thanked Google, security firm Mandiant, Adobe, and McAfee for help and for providing details of the attack.

How many software flaws are discovered as zero-days under active attack? We know of plenty of zero-day attacks when the software vulnerability is disclosed publicly first, and attack code follows before the patch is published. But public disclosure of attacks in which a previously unknown (to the public or the software vendor) vulnerability is exploited are rare.

Research director at Spire Security, Pete Lindstrom, maintains a list that has 21 such vulnerabilities (he calls them undercover vulnerabilities) since 1988. The Open Source Vulnerability Database has 87 vulnerabilities categorized as "Discovered in the Wild."

Considering thousands of ordinary software security vulnerabilities are discovered every year, that's not very many. The National Vulnerability Database, as of today, has 40,408 vulnerabilities with more added every day. Divide 87 by 40,408 and you get a very small number.

Despite the relative handful of "undercover vulnerabilities and exploits" discovered in the wild -that we know of - we still have no idea if such vulnerabilities are discovered in this way with much more frequency. And that's a shame.

Lindstrom says the times he's approached software vendors about how certain vulnerabilities were uncovered, he hasn't managed to get very far. "While I have not executed an all-out full-court press on vendors, the times I did ask for follow-up to see how the vulnerability was discovered resulted in somewhat ambiguous answers about having "no information" or "disclosure agreements" that prevent any discussion about them," he wrote.

I asked Lindstrom in an e-mail exchange how important it would be to have more precise tracking of these incidents. Here's his reply:

These vulnerabilities are the most serious there are because they are already actively being exploited. Conventional wisdom suggests it is much more common than we hear about. The OSVDB shows 87 total with 18 in each of the past two years. It is difficult to assess exactly how common it is - that is part of the problem. We need to determine the extent of the problem to properly assess the effectiveness of existing controls.

I have requested meetings with Microsoft twice in the past and both times hit a stone wall - they refused to meet with me.

I agree completely that more data would be helpful. We'd know how often these sorts of attacks occur, and have a better idea what security defenses worked, which didn't, and why. The problem is getting good data, and I just do not see (beyond mandating forced reporting of certain attacks) how that's going to happen.

That's why we will probably live in mystery, when it comes to undercover vulnerabilities and exploits discovered in-the-wild, for some time to come. That only helps our adversaries.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.