Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Zero-day exploits: Separating fact from fiction

Roger A. Grimes | June 29, 2016
You may be surprised by the number and availability of zero-days, but that's no reason to let an attack catch you unprepared

Zero-day exploits strike fear into the heart of computer security pros. An active attack, unrecognized by antimalware software and without a ready vendor patch, is harder to deal with than your run-of-the mill security bug. You can't just run a scanner, slap on a patch, high-five your friends, and call it a day.

With zero-days, you wonder what mitigation you can apply while waiting for the vendor to release a patch. Worse, some mitigations do more damage than the exploit itself. That's why most customers don't do anything. They remain unprotected until the vendor pushes the patch.

Fortunately, while zero-days get lots of press, they aren't a huge factor. The vast majority of successful attacks and exploits arrive after the vendor has released the patch. In most cases, zero-day attacks are fairly targeted, so even the exploits "in the wild" don't spread worldwide. For example, the Stuxnet worm contained a few zero-days, but it was meant to take down specific targets, even if thousands of copies later leaked out all across the globe.

Zero-days may occur rarely, but they're high-risk, so you need to have a plan for them. Just how frequent are zero-days, whether in the wild or not? Initially, based on reading I've done over the years, I thought the number would be quite low -- perhaps five to seven zero-days per year. But a recently released NSS Labs white paper convinced me that I've underestimated.

Entitled "The Known Unknowns," the white paper analyzed data from two professional firms that offer zero-days to customers on a very expensive subscription basis. The author writes, "On any given day over the past 3 years, two vulnerability purchase programs alone gave their privileged subscribers early access to at least 58 vulnerabilities, on average, in Microsoft, Apple, Oracle or Adobe products."

Then NSS did a little more research and widened its net to more exploit vendors. In doing so, it determined that more than 100 zero-days were for sale this year alone. According to NSS Labs, the zero-days remained undisclosed to their vendors or the public for an average of 151 days. The paper continues: "NSS found subscriptions delivering 25 zero-day vulnerabilities per year can be had for $2.5 million." Not cheap!

But any nation-state can pony up that kind of money, and NSS Labs feels that some organized cyber criminals are readily capable of raising the needed funds. The paper closes with the warning, "These numbers are considered a minimum estimate of [zero-days], as it is unlikely that cybercriminals, brokers, or government agencies will ever share data about their operations."

Zero-day defenses

However you spin the numbers, the fact is you could easily be exposed to one or more zero-days in a given year. What can you do to defend yourself if you can't afford million-dollar subscription fees?

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.