Microsoft’s snapshot of the state of zero-day exploits is getting a mixed reception from security experts.
If it weren’t for zero-days and your company practiced good security, you could sleep well at night, but nobody sleeps well these days.
Dan Brown, director of security research, Bit9 Inc.
The software giant’s malware analysis found zero-day exploits accounted for less than 1% of all malware in the first half of 2011 and concluded in Volume 11 of the Microsoft Security Intelligence Report that organizations should prioritize their security defenses accordingly. While experts are not surprised at the findings of the report, they fear the threat posed by malware that exploits zero-day vulnerabilities is being downplayed.
Experts say enterprises shouldn’t let their guard down. Attackers that invest time and money into developing and executing a targeted attack using a zero-day exploit are after the most sensitive corporate data, said Amol Sarwate, vulnerability labs manager at Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc. An attack of that magnitude is going after intellectual property, company financials and other closely guarded corporate secrets, he said.
“Defending against a zero-day should be pretty high on a corporation’s priority list,” Sawarte said. “Zero-days are not used to steal your account credentials or credit card numbers; they’re used to gain access to a specific kind of data at the targeted organization.”
Microsoft’s analysis of malware activity that exploits zero-day flaws was based on data collected from users of its Malicious Software Removal Tool, which is designed to check computers running Windows 7, Windows Vista, Windows XP, Windows 2000 and Windows Server 2003 for infections.
The Microsoft report found zero-day exploitation accounted for about 0.12% of all exploit activity in the first half of 2011, reaching a peak of 0.37% in June. Still, many high-profile data breaches typically involve a spear phishing attack that contains a zero-day exploit. The cybercriminals behind the RSA SecurID data breach used a zero-day exploit in a spear phishing attack against a low-level employee at the security company. If attackers have the financial means and sophistication, they will get in, Sawarte said.
Zero-days, which exploit vulnerabilities in the wild before a vendor can publish a security update, are rare and expensive on the black market, experts said. The vast majority of malware, targeting Java, Adobe Flash and other browser components are contained in automated attack toolkits, designed to attack quickly and blindly, reaching a mass audience to reap account credentials and other data.
Malware distribution has become an organized business, with various iterations of the same piece of malware being created and sold in underground hacker forums, almost like fast food, said Graham Cluley, senior technology consultant at U.K.-based Sophos.
“Years ago cybercriminals took pride in what they were coding and they spent weeks or months coding something that no antivirus products would detect,” Cluley said. “Now they don’t care about quality, because they know they have another 50 examples of that malware going out in a minute and maybe one of those will get through.”
Microsoft said about 45% of exploits required user interaction. About 26% took advantage of the Windows AutoRun feature to infect USB devices or network volumes mapped to drive letters. Microsoft released an update in February to make the AutoRun feature more secure.
Dan Brown, director of security research at Waltham, Mass.-based whitelisting vendor Bit9 Inc., called Microsoft’s report “slightly misleading.” Some of the most successful and dangerous attacks leveraged a zero-day vulnerability, he said. Operation Aurora, successful attacks that targeted Google and dozens of other firms, exploited a zero-day vulnerability in Internet Explorer to gain access to corporate networks. Less than a year later, Stuxnet, a sophisticated Trojan that was specifically designed to target an Iranian power generation facility, could have been targeted at other firms that run specialized control equipment. Stuxnet used at least four previously unknown Microsoft zero-day flaws.
“If it weren’t for zero-days and your company practiced good security, you could sleep well at night, but nobody sleeps well these days,” Brown said. “There are so many problems with the current operating systems we use that it’s unlikely there will be a comprehensive solution to the problem anytime soon.”
Brown said even the latest technologies designed by Microsoft to defend against zero-day attacks – data execution prevention and address space layout randomization – can be bypassed by determined attackers. “A great deal of malware out there is a nuisance and in some cases it’s dangerous, but zero-days are behind a lot of the worst attacks we’ve seen the last couple of years, so enterprises can’t let their guard down,” Brown said.
In addition to employing fundamental security practices and policies, experts said companies that believe they could be targeted could take additional steps. Many security vendors offer threat intelligence services designed to provide zero-day mitigation information as soon as a zero-day surfaces. Organizations can undertake a security audit to find any gaping holes or weaknesses. Often, an unused feature in a system contains a weakness, said Sophos’ Cluley. Enterprises can turn off system capabilities not being used by employees to eliminate the attack surface.
The human factor will continue to be the most difficult to address, Cluley said. Attackers choose social engineering tactics to gain initial access to an end user’s system and then attempt to leverage a zero-day to gain access to the corporate network. Sustained user education will also help reduce the threat by making employees more suspicious of the links and attachments they receive in email and social networks, Cluley said.
“Microsoft is pointing out that there are more common garden variety attacks and that has been very true for a long time,” Clu ley said. “It’s still important that enterprises aren’t completely blinded by this zero-day threat.”