Every day, we read about cyber-attacks and data breaches, incidents that represent in many cases a disaster for private companies and governments. Technology plays a significant role in our lives; every component that surrounds us runs a piece of software that could be affected by flaws and exploited by those with ill intentions.

Of course, the impact of these vulnerabilities depends on the nature and scope of the exposed software. Some applications are more commonly used, and their vulnerabilities could expose users to serious risks. Take for example the recent vulnerability discovered in Skype, in which a bug allowed an attacker to obtain full access to any Skype account by simply knowing the email address used by a victim during the creation of the account.

The possible damage that the exploit of a vulnerability could do depends on different factors such as the level of diffusion of the application compromised, the previous knowledge of the vulnerabilities, and the context in which the compromised application is used.

Zero-day vulnerabilities

In the wide universe of vulnerabilities, zero-day vulnerabilities represent a real nightmare for security experts. Knowledge of any leak about them makes it impossible to predict how and when they could be exploited. This characteristic makes their use ideal in state-sponsored attacks and in the development of cyber weapons.

Interest in the discovery of unknown vulnerabilities for a widespread application has totally changed the role of hackers. In the past, they were figures who kept away from government affairs; today, the industry and even intelligence agencies have launched a massive recruitment campaign for this new type of expertise.

Profiting from these vulnerabilities can be done through different channels: flaws could be sold to the makers of the compromised application; a government interested in exploiting a flaw could acquire it to conduct cyber-attacks against hostile countries; or it could be sold in the underground market.

Countermeasures and the importance of a rapid response

The lifecycle of a zero-day vulnerability is composed of the following phases:

- Vulnerability introduced.

- Exploit released in the wild.

- Vulnerability discovered by the vendor.

- Vulnerability disclosed publicly.

- Anti-virus signatures released.

- Patch released.

- Patch deployment completed.

Zeroday Lifecycle

Figure 1 Lifecycle of zero-day vulnerability

The discovery of a zeroday vulnerability requires an urgent response. The period between the exploit of a vulnerability and the release of the proper patch to fix it is a crucial factor for the management of software flaws. Researchers Leyla Bilge and Tudor Dumitras from Symantec Research Labs presented a study entitled Before We Knew It … An Empirical Study of Zero-Day Attacks In The Real World, in which they explained how the knowledge of this type of vulnerabilities gives to governments, hackers and cyber criminals “a free pass” to exploit every target remaining undetected. The study revealed that typical zero-day attacks have an average duration of 312 days and once publicly disclosed, an increase of five orders of magnitude of the volume of attacks is observed, as shown in the following picture.

Attacks Related to Disclosure

Figure 2 Number of attacks related to disclosure of zero-day

The disclosure of a vulnerability triggers a series of cyber-attacks that try to benefit from its knowledge and the delay in the application of the patch. The increase in offensive activity has no specific origin, which makes it hard to prevent. Groups of cyber criminals, hacktivists and cyber terrorists could try to exploit the vulnerability in various sectors and the damage they can do depends on the context they operate in.

The belief that zero-day vulnerabilities are rare is wrong. They are vulnerabilities exactly like any others with the fundamental difference that they are unknown. A study illustrated an alarming scenario: 60% of the flaws identified were unknown, and the data suggested that there are many more zero-day vulnerabilities than expected, plus, the average time proposed for the zero-day vulnerability duration may be underestimated.

Not only zero-days

Many professionals believe that the real nightmare of information security is represented by zero-day vulnerabilities, flaws that are impossible to predict and expose their infrastructures to attacks that are difficult to detect and can cause serious damage. Despite the fear in zero-day attacks being recognized worldwide, infrastructures are menaced daily by a huge list of well-known vulnerabilities for which the proper countermeasures aren’t yet applied.

Failure to follow the best practices in the process of patch management is the main cause of problems for private companies and governments. In some cases, patch management processes are extremely slow and the window of exposure to cyber threats is extremely large. In other cases, and for various reasons, the administrators of the infrastructure do not undertake the necessary updates which lead to a lot of homes affected by attacks.

Window of Exposure

Figure 3 – Window of exposure

The result is shocking: millions of PCs every day are compromised by failure to follow simple rules. Known exploits are inefficient against correctly patched systems, but they still remain a privileged option for attackers who perform large scale attacks.

Only a few entities are able to patch their systems in a short time. Patch management has a sizable impact in large organizations with complex architectures so a patch must be analyzed in detail to avoid problems to IT infrastructure, requesting further and more time-consuming analysis.

The deployment phase has a variable length. For example, in a company located over multiple locations with a high number of strongly heterogeneous systems to patch, deployment activities are more challenging.

A known bug is also called a 1-day vulnerability. It is cheaper compared to a 0-Day, so it is really easy for an attacker to acquire information and tools on internet and in the underground to arrange a large scale attack.

Development of a 0-day is really expensive and time-consuming due the intense research that must be conducted to discover and to exploit the vulnerability. For this reason, this kind of exploits is typically used by governments, while cyber criminals appear to be more interested in 1-day exploits. Security firm Eset has demonstrated in many occasions how quickly the Blackhole gang can react to the 1-day opportunity.“There’s intense interest in vulnerability research, with legitimate research seized upon by malware authors for malicious purposes.”

David Harley, a senior researcher, declared:

“The increase in volume of 1-day exploits suggests that even if 0-days’ research prices itself out of the mass market for exploits, inadequate update/patch take-up among users is leaving plenty of room for exploits of already-patched vulnerabilities (as with the current spate of Tibet attacks).”

Conclusion

Clearly, every vulnerability represents a serious threat for a specific application. Moreover, it could also menace the security of an organization or a government when it impacts the applications and infrastructure they’ve adopted.

It is not possible to follow a standard approach to face the huge range of vulnerabilities, but a series of actions must be put in place starting at the development phase of a product. Security requirements have to be considered crucial for the design of every solution.

Preventing zero-day vulnerabilities is a utopia but much more can be done once they are discovered. An efficient response could prevent dramatic consequences from a security perspective. The process of patch management must be improved especially for large organizations, which are common targets of cyber-attacks, and which usually have long reaction times. Don’t forget that it’s a race against time, and the only guaranteed defense against the 1-day attack is to patch our systems before the attackers exploit it.

Pierluigi Paganini is a security researcher for InfoSec Institute. InfoSec Institute is an IT security training company that provides popular web application pen testing courses.