Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/17/2010
12:15 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

How Many (Sub) Zero-Day Attacks?

We now know that one of the vectors used in the series of attacks against U.S. businesses was a zero-day vulnerability in Internet Explorer. Apparently, the way most of the world learned of this particular flaw was when it was actually used in these attacks. That's some powerful form of "disclosure," but how common is it?

We now know that one of the vectors used in the series of attacks against U.S. businesses was a zero-day vulnerability in Internet Explorer. Apparently, the way most of the world learned of this particular flaw was when it was actually used in these attacks. That's some powerful form of "disclosure," but how common is it?We will probably never know unless software vendors start publicly disclosing how they learn of their software security flaws. A security flaw, such as that used in the attack against Google, can be uncovered several ways:

- The software vendor can uncover the vulnerability itself through a code review. They'll (hopefully) fix it, and provide a patch to customers. Other than finding the flaw during development, this is one of the best ways these things are found.

- A security researcher (customer, or someone) will find the flaw and report it to the software vendor, who will then (hopefully) provide a patch at the time the flaw is disclosed to customers.

- A security researcher finds the flaw, and announces the flaw to the world on a security mailing list, or blog post. Sometimes they'll publish exploit code at the same time, sometimes not. This is generally a bad way for the rest of the world to learn of the flaw, as software vendors have to scramble to develop the patch and everyone who uses the software is at risk of being attacked in the meantime.

- That brings us to the worst ways such vulnerabilities are found, at least for the general computing and Internet community. The software security hole is found by a black hat, cyber-criminal, or state-sponsored researcher. The flaw could be sold on the black market to other criminals to be used in their attacks. Or, in the case of state-sponsored attackers and organized crime, the flaw could be tucked away for later use in their attack arsenal.

We will usually only learn of the last category when it's used in an attack that is made public, such as Aurora. That's, presumably, how Microsoft first learned of the flaws in its security advisory 979352, when it said that it is "investigating reports of limited, targeted attacks against customers of Internet Explorer 6, using a vulnerability in Internet Explorer."

In its acknowledgments section, Microsoft thanked Google, security firm Mandiant, Adobe, and McAfee for help and for providing details of the attack.

How many software flaws are discovered as zero-days under active attack? We know of plenty of zero-day attacks when the software vulnerability is disclosed publicly first, and attack code follows before the patch is published. But public disclosure of attacks in which a previously unknown (to the public or the software vendor) vulnerability is exploited are rare.

Research director at Spire Security, Pete Lindstrom, maintains a list that has 21 such vulnerabilities (he calls them undercover vulnerabilities) since 1988. The Open Source Vulnerability Database has 87 vulnerabilities categorized as "Discovered in the Wild."

Considering thousands of ordinary software security vulnerabilities are discovered every year, that's not very many. The National Vulnerability Database, as of today, has 40,408 vulnerabilities with more added every day. Divide 87 by 40,408 and you get a very small number.

Despite the relative handful of "undercover vulnerabilities and exploits" discovered in the wild -that we know of - we still have no idea if such vulnerabilities are discovered in this way with much more frequency. And that's a shame.

Lindstrom says the times he's approached software vendors about how certain vulnerabilities were uncovered, he hasn't managed to get very far. "While I have not executed an all-out full-court press on vendors, the times I did ask for follow-up to see how the vulnerability was discovered resulted in somewhat ambiguous answers about having "no information" or "disclosure agreements" that prevent any discussion about them," he wrote.

I asked Lindstrom in an e-mail exchange how important it would be to have more precise tracking of these incidents. Here's his reply:

These vulnerabilities are the most serious there are because they are already actively being exploited. Conventional wisdom suggests it is much more common than we hear about. The OSVDB shows 87 total with 18 in each of the past two years. It is difficult to assess exactly how common it is - that is part of the problem. We need to determine the extent of the problem to properly assess the effectiveness of existing controls.

I have requested meetings with Microsoft twice in the past and both times hit a stone wall - they refused to meet with me.

I agree completely that more data would be helpful. We'd know how often these sorts of attacks occur, and have a better idea what security defenses worked, which didn't, and why. The problem is getting good data, and I just do not see (beyond mandating forced reporting of certain attacks) how that's going to happen.

That's why we will probably live in mystery, when it comes to undercover vulnerabilities and exploits discovered in-the-wild, for some time to come. That only helps our adversaries.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.