Less than zero: Zero-day vulnerabilities
Less than zero: Zero-day vulnerabilities

Organizations are struggling with how to more quickly account for and guard against zero-day vulnerabilities, reports Karen Epper Hoffman.

For information security professionals, zero is much more than nothing.

Zero-day vulnerabilities – those holes in software that are not generally known nor protected against – are indeed a growing concern for organizations as criminals get increasingly savvy about how to use these liabilities to their favor. In the end, experts say, it is becoming a race between how fast software makers and researchers can uncover these holes – which most commonly target Microsoft, Adobe and Java software – and distribute a patch or update, and how quickly the bad guys will get there.

Exploits that target zero-day vulnerabilities, by most accounts, are not all that common. Craig Williams (left), technical leader for the Cisco Threat Research, Analysis and Communications (TRAC) Outreach team, says his group regularly sees zero-day exploits “but it is far from a daily event,” adding that normally he would see one or two per month. “Companies are getting better at reducing the number of vulnerabilities that ship in their code,” he says. “Things like development lifecycles that put emphasis on security and require security-focused testing help reduce the number of bugs.”

Additionally, companies are investing in exploit-mitigation technologies – like memory protections sandboxes or Microsoft's Enhanced Mitigation Experience Toolkit, which Williams says can make it “much more challenging for vulnerabilities to result in useful code execution.”

Nonetheless, when they do hit, zero-day exploits can be more damaging than most because they strike where no one is looking and can remain undetected owing to the fact that much current security software seeks out malicious code based on known signatures.

“Zero days are incredibly valuable to the attackers…they don't want people to know it exists, and [the length of time] between detection and disclosure can vary,” says Mark Elliott, founder and executive vice president of Quarri Technologies.

Or, in the words of Allen Harper, chief hacker and executive vice president of Tangible Security: “We have a blind spot growing in the security field and that's zero-day.”

Alex Cox (left), principal security researcher for RSA FirstWatch, says zero-day exploits targeting Java in particular “tend to be the most damaging as many enterprises don't have a solid patching process for it, and vulnerabilities tend to be exploitable for a longer period of time between patch cycles.”

But, other experts point out that while the threat certainly hovers, actual damage has of yet been minimal. “The continued string of high-profile compromises, to Adobe source code in particular, has the potential to cause an explosion of zero-days, but we haven't really seen that yet,” says Cox. “The potential is there, just unrealized as of yet. I'd say that the use of zero-days has increased along the same lines as the threat. That is, as the bad guys' sophistication has increased, so has their ability to use zero-days in their attacks.”

In fact, says Williams, the growth rate of zero-day threats is set by the number of people attempting to exploit users of the internet. “We're seeing a much more targeted use of zero-day threats these days,” he says.

Michael Sutton, vice president of security research for Zscaler, says the landscape for zero-day vulnerabilities has evolved significantly in recent years as software makers, Microsoft in particular, have gotten increasingly better about putting out patches, and organizations have become more adept at shortening the patch cycle. Instead, it's no longer the “low-hanging fruit” of simple vulnerabilities, Sutton says. “It's not getting worse so much in terms of sheer volume, it's the severity of the threats and the length of time they are taking to come to the surface to get to where a vendor can address them,” Sutton says.