Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How much are vendor security assurances worth after the CIA leaks?

Lucian Constantin | March 14, 2017
Software vendors will fix these vulnerabilities, but users should remember that there are always zero-day exploits out there

"Users shouldn't just presume newer versions aren't affected simply because they're not mentioned in the dumps," Eiram said.

And even if all these flaws eventually will be disclosed to vendors and patched, it doesn't mean that the CIA doesn't have newer zero-day exploits. Its exploit acquisition efforts haven't stopped in March 2016.

The agency had exploits for unpatched vulnerabilities when its internal documents were leaked and it's very likely that it has similar exploits for the latest versions of popular programs and operating systems at this moment.

It's important to realize that there are always zero-day exploits out there, and not just in the hands of intelligence agencies. A similar leak in 2015 from Hacking Team, an Italian company that makes surveillance software for law enforcement, revealed that the firm was regularly buying zero-day exploits from hackers.

Numerous hacker groups have used zero-day exploits in their attacks over the years, some so frequently that they probably have large stockpiles of unpatched flaws. There are also private brokers that pay huge sums of money to acquire such exploits and then resell them to their customers, which includes law enforcement and intelligence agencies.

"This leak is mostly just confirming suspicions about the capabilities of such agencies more than surprising us," Eiram said.

According to Eiram, the software industry can better prevent developers from introducing vulnerabilities in their code and can build features to make exploitation harder and reduce risks. But there's no magic wand for getting rid of all vulnerabilities in the foreseeable future. If anything, annual statistics show that the number of software vulnerabilities is actually on the rise.

"For that reason, it is always good for users to keep in mind -- without developing full-blown paranoia -- that when navigating the digital world there is always someone out there who can compromise your system if they really wanted to," Eiram said. "A bit of logic, skepticism, and security awareness goes a long way, both in the physical and the digital world."

Users and companies who are likely to be the target of cyberespionage attacks should take a multilayered approach to defense that goes well beyond applying vendor patches and takes the existence of zero-day exploits into consideration.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.