Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:45 AM
Connect Directly

Zero-Day: Won't Go Away

Enterprises can expect more zero-day exploits as malware writers start to monetize their attacks

First it was VML, then PowerPoint, and then setSlice -- multiple zero-day exploits in a row. And it wasn't just Microsoft. McAfee this week patched a buffer overflow vulnerability in its ePolicy Orchestrator and ProtectionPilot software after researchers posted the exploit code over the weekend.

Why this zero-day blitz? (See Phishers Launch Zero-Day Exploits.)

"I think more people are making the decision not to work with the vendors" on disclosing vulnerabilities, says Steve Manzuik, research manager for eEye Digital Security. Or they just don't care, he says.

Mozilla's Firefox was temporarily on the list of new zero-days this week until one of the hackers from ToorCon who claimed he found a zero-day exploit in Firefox backed down. Turns out all their attack may do is crash Firefox, not take over the machine.

Meanwhile, security experts say the rash of zero-days is not a concerted attack strategy, but more the planets aligning. "Starting earlier this year, we saw client-side attacks hit hard and fast," says Jose Nazario, software and security engineer for Arbor Networks. Nazario says HD Moore's Month of Browser Bugs' (MOBB) 31 browser bugs helped fuel some of the latest zero-day attacks. (See Getting Buggy with the MOBB.)

Moore says he didn't actually discover the recent VML, ePolicy, and setSlice bugs, but he did give the exploits a little help. "Mostly I just helped with exploit development more than the actual discovery." He wrote an evasion version of the VML exploit, a working exploit for setSlice, and ported a friend's exploit code for McAfee's ePolicy Orchestrator to the Metasploit penetration tool, he says.

This may have spawned some of the attacks, security experts say, but the real problem is in the criminal mind of today's attackers. "One thing that's fairly consistent is the underground economy is jumping on zero-days as a means to infect more people with adware or crimeware," says Dan Hubbard, head of Websense Security Labs. "Now they set up sophisticated networks that are like a Web hub-and-spoke: They put links within thousands of sites that go back to the main hub sites, which have different exploit code."

And once the attackers have gathered their data, they then try to cash it in, he says. That may be one reason for the spike in zero-days lately. "Attackers were busy collecting all this data, and now they're trying to monetize it."

There are plenty more out there that haven't come to light yet, either. Randy Abrams, director of technical education for Eset, says attackers won't tip their hand all at once. "They are waiting until Patch Tuesday so they can have the longest amount of time to use the new techniques before Microsoft patches them," Abrams says. "So we're seeing bad guys with a lot of these vulnerabilities up their sleeves, but only showing their cards one at a time."

And hacker tools like WebAttacker are making it easier for non-technical bad guys to run exploits, too. Websense says 15 percent of all Websites hosting crimeware are using these types of hacker toolkits. "They don't have to be a black-hat Assembler programmer to run these tools," Hubbard says.

The two main types of zero-day attacks today are from Internet Explorer, which can also affect Outlook and Outlook Express; and Office file-format bugs.

The good news is there really hasn't been an increase in the number of exploit-writers, Arbor's Nazario says. "This is gathering momentum, but there are not a whole lot of people involved in writing these exploits," he says. "There hasn't been an explosion in the number of authors, so [zero-day increases] are constrained by that."

Nazario says Arbor can tell by reading exploit code and studying the methods used by the attacker to estimate how many of these exploit-writers really exist. They typically show patterns of recycling code, or using specific methods, he says.

And luckily, these zero-day attacks are nowhere near the scale of infamous worm attacks like SQL Slammer and Nimda, so there's no cause for panic. Still, the VML exploit has the potential to do some widespread damage, Nazario says. It had infected about a million hosts within a couple of weeks after the exploit code went public, he says. "And it's growing -- not nearly as fast as a worm or malware, but at reasonable enough rate that we do get concerned."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Arbor Networks Inc.
  • Microsoft Corp. (Nasdaq: MSFT)
  • eEye Digital Security
  • ESET
  • Websense Inc. (Nasdaq: WBSN) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
    Nicole Ferraro, Contributing Writer,  8/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
    PUBLISHED: 2020-08-08
    JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
    PUBLISHED: 2020-08-08
    In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
    PUBLISHED: 2020-08-08
    In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.