Zero-day attack: Difference between revisions
Removed "Zero day warez" section--this is already in the disambiguation link and completely unassociated with Zero day attack. |
→Vulnerability window: Basic re-write |
||
Line 9: | Line 9: | ||
==Vulnerability window== |
==Vulnerability window== |
||
Zero-day attacks occur |
Zero-day attacks occur during the [[Vulnerability (computing)|vulnerability]] window that exists between the time a vulnerability |
||
is first exploited and the time software developers start to develop a counter to that threat. |
|||
For viruses, Trojans and other zero-day attacks, the vulnerability window follows this timeline: |
For viruses, Trojans and other zero-day attacks, the vulnerability window follows this timeline: |
||
*Release of new threat/exploit into the wild |
|||
*Detection and study of new exploit |
|||
*Development of new solution |
|||
*Release of patch or updated signature pattern to catch the exploit |
|||
*Distribution and installation of patch on users' systems or updating of virus databases |
|||
{{Fact|date=August 2007}} |
|||
*The developer creates software containg an (unknown) vulnerability |
|||
This process can last hours or days, during which networks experience the so-called '''vulnerability window'''. One report estimates the 2006 vulnerability window at 28 days<ref>"Internet Security Threat Report" Symantec Corp, Vol. X, Sept. 2006, p. 12</ref>.{{Clarify me|date=May 2009}} |
|||
*The attaker finds the vulnerability before the developer does |
|||
*The attacker writes and distributes an exploit while the vulnerability is not known to the developer |
|||
*The developer finds the vulnerability and starts developing a |
|||
Measuring the length of the vulnerability window can be dificult, as attackers don't announce when the vulnerability was first discovered. Developers may not want to distribute data for commercial or security reasons. Developers also may not know if the vulnerability is being exploited when they fix it, and so may not record the vulnerability as a zero-day attack. However, it can be eaily shown that this window can be serveral years long. For example in 2010 [[Microsoft]] confirmed a vulnerability in [[Internet Explorer]], which effected some versions that were released in 2001<ref>[http://news.bbc.co.uk/2/hi/technology/7784908.stm BBC NEWS | Technology | Serious security flaw found in IE<!-- Bot generated title -->]</ref>. Unfortuatly, the date the vulnerability was first found by an attacker isn't known, however the vulnerability window in this case could have been up to 9 years. |
|||
==Protection== |
==Protection== |
Revision as of 02:18, 28 January 2010
A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others, undisclosed to the software vendor, or for which no security fix is available. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software vendor knows about the vulnerability.
The term derives from the age of the exploit. When a vendor becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A "zero day" attack occurs on or before the first or "zeroth" day of vendor awareness, meaning the vendor has not had any opportunity to distribute a security fix to users of the software.[1]
Attack vectors
Malware writers are able to exploit zero-day vulnerabilities through several different attack vectors. For example, when users visit rogue (or black hat) web sites, code on the site may exploit vulnerabilities in web browsers. Web browsers are a particular target because of their widespread distribution and usage. Hackers can also send e-mail attachments, which exploit vulnerabilities in the application opening the attachment[2]. Typically badly written software will be vulnerable to several zero-day vulnerabilities in a short period of time. Exploits that take advantage of common file types are numerous and frequent, as evidenced by their increasing appearances in databases like US-CERT. Users with malicious intent can engineer malware to take advantage of these file type exploits to compromise attacked systems or steal confidential data[3].
Vulnerability window
Zero-day attacks occur during the vulnerability window that exists between the time a vulnerability is first exploited and the time software developers start to develop a counter to that threat.
For viruses, Trojans and other zero-day attacks, the vulnerability window follows this timeline:
- The developer creates software containg an (unknown) vulnerability
- The attaker finds the vulnerability before the developer does
- The attacker writes and distributes an exploit while the vulnerability is not known to the developer
- The developer finds the vulnerability and starts developing a
Measuring the length of the vulnerability window can be dificult, as attackers don't announce when the vulnerability was first discovered. Developers may not want to distribute data for commercial or security reasons. Developers also may not know if the vulnerability is being exploited when they fix it, and so may not record the vulnerability as a zero-day attack. However, it can be eaily shown that this window can be serveral years long. For example in 2010 Microsoft confirmed a vulnerability in Internet Explorer, which effected some versions that were released in 2001[4]. Unfortuatly, the date the vulnerability was first found by an attacker isn't known, however the vulnerability window in this case could have been up to 9 years.
Protection
Zero-day protection is the ability to provide protection against zero-day exploits. Zero-day attacks also can remain undetected after they are launched[5].
Many techniques exist to limit the effectiveness of zero-day memory corruption vulnerabilities, such as buffer overflows.[citation needed] These protection mechanisms exist in contemporary operating systems such as Apple's Mac OS X, Microsoft Windows Vista [1], Sun Microsystems Solaris, Linux, Unix, and Unix-like environments; Microsoft Windows XP Service Pack 2 includes limited protection against generic memory corruption vulnerabilities[6]. Desktop and server protection software also exists to mitigate zero day buffer overflow vulnerabilities.[citation needed]
"Multiple layers" provides service-agnostic protection and is the first line of defense should an exploit in any one layer be discovered. An example of this for a particular service is implementing access control lists in the service itself, restricting network access to it via local server firewalling (i.e. iptables), and then protecting the entire network with a hardware firewall. All 3 layers provide redundant protection in case a compromise in any one of them is discovered.
The use of port knocking or Single Packet Authorization daemons may provide effective protection against zero-day exploits in network services. However these techniques are not suitable for environments with a large number of users.
Whitelisting technology effectively protects against zero day threats. Whitelisting will only allow known good applications to access a system and so any new or unknown exploits are not allowed access. Although whitelisting is effective against zero-day attack, unless it is combined with other methods of protection such as HIPS or a blacklist of virus definitions it can sometimes be quite restrictive to the user.
Engineers and vendors such as Gama-Sec in Israel and DataClone Labs in Reno, Nevada are attempting to provide support with the Zeroday Project, which purports to provide information on upcoming attacks and provide support to vulnerable systems.
Another method to avoid zero day attacks is to wait for a reasonable period of time before upgrading to a new major version. Exploits which are discovered in new software are often addressed in a timely manner by the software vendor and fixed by later minor updates. Minor updates to older software that contain security fixes should obviously always be installed to maximize security. While this method avoids "zero day" vulnerabilities that are discovered by the zeroth day of the software release cycle, security holes can be discovered at any time. If they are announced to the public before the software vendor, exploits can made on the "zeroth day" of the vulnerability window.
Ethics
Differing views surround the collection and use of zero-day vulnerability information. Many computer security vendors perform research on zero-day vulnerabilities in order to better understand the nature of vulnerabilities and their exploitation by individuals, computer worms and viruses. Alternatively, some vendors purchase vulnerabilities to augment their research capacity. An example of such a program is TippingPoint's Zero Day Initiative. While selling and buying these vulnerabilities is not technically illegal in most parts of the world, there is a lot of controversy over the method of disclosure. A recent German decision to include Article 6 of the Convention on Cybercrime and the EU Framework Decision on Attacks against Information Systems may make selling or even manufacturing vulnerabilities illegal.
Most formal efforts follow some form of RFPolicy disclosure guidelines or the more recent OIS Guidelines for Security Vulnerability Reporting and Response. In general these rules forbid the public disclosure of vulnerabilities without notification to the vendor and adequate time to produce a patch.
See also
- Access Control
- Intrusion-prevention system
- Network Access Protection
- Network Access Control
- Network Admission Control
- Targeted attacks
Footnotes
- ^ About Zero Day Exploits
- ^ SANS sees upsurge in zero-day web-based attacks, Computerworld
- ^ "E-mail Residual Risk Assessment" Avinti, Inc., p. 2 http://avinti.com/download/case_studies/whitepaper_email_residual_risk.pdf
- ^ BBC NEWS | Technology | Serious security flaw found in IE
- ^ What is a Zero-Day Exploit?
- ^ Changes to Functionality in Microsoft Windows XP Service Pack 2
References
- Messmer, Ellen, Is Desktop Antivirus Dead?, PC World, April 6, 2007.
- Naraine, Ryan, Anti-Virus Is Dead, D-E-A-D, Dead!, eWeek, December 1, 2006.
External links
- Attackers seize on new zero-day in Word from InfoWorld
- PowerPoint Zero-Day Attack May Be Case of Corporate Espionage from FoxNews
- Microsoft Issues Word Zero-Day Attack Alert from eWeek