I don't think that word means what you think it means.
eWeek has an enticingly-titled article this week warning us all that "Zero-Day Exploits Abound at Legitimate Web Sites." This caught my eye as I've always been impressed with the folks who are able to stay so far ahead of the curve as to notice when the bad guys are exploiting something new - I figured this might be an interesting article about someone who spoke various foreign languages and trolled through IRC sites galore and bulletin boards a-plenty looking for interesting hints of bugs-to-come (hunting these types of bugs invariably seems to involve knowledge of some non-English dialect). I was initially impressed as I read,
Let's recap. A zero-day exploit is something that hits "the wild" at or before the time the remediation for the exploit hits. Expecting to find out more about just how they uncovered this trove of elusive zero-day exploits, I read on. And then, right there in the next paragraph, they lost me:
The WMF vulnerability first hit the mainstream around Christmas 2005 with a patch made public on 5 January 2006. When did the WMF bug go from being a zero-day exploit to being a "users-shoulda-patched-by-now" vulnerability? It's all about how you define the meaning of the word "go":
That's right. An "exploit" is a new tool being used by mysterious and hard-to-track international men of crime and mystery. How, oh how, will I sleep tonight? Wait, never mind.
may be drawing the conclusion that Microsoft left them exposed to the WMF issue for months... and that their safety depends on purchasing a product. Granted, Microsoft is not above reproach here, but what's really behind the press releases and the media blitz? How does XPL's SocketShield product protect users against previously-unknown bugs, particularly given the patching challenges listed above, supported by additional assertions about where protection cannot take place:
Firewalls? No good. Patching? Not enough. AntiVirus? Nice try, but the exploit's already on your hard drive (but has it executed?!). How will my precious browsing remain protected? For that, let's go to the literature once again:
Now we have the rub: it's an application that monitors all of your browsing activity, sends some information (hopefully anonymized and with your consent) about what attacks your browser is encountering to a central repository, where data analysis is performed to quickly identify emergent threats and send updates in reaction faster than AV vendors might. Don't get me wrong - as a method, this certainly has merit (distributed computing applied to zero-day vulnerability research) and is an interesting approach. But I'm a luddite - I'll stick with my personal firewall, my WindowsUpdate, and my Firefox for now, thanks.
Exploit Prevention Labs said that the zero-day exploits are specifically being used by international cyber-crime rings targeting the operating system and Web browser flaws.
Let's recap. A zero-day exploit is something that hits "the wild" at or before the time the remediation for the exploit hits. Expecting to find out more about just how they uncovered this trove of elusive zero-day exploits, I read on. And then, right there in the next paragraph, they lost me:
In the month of May, the company said that the widely publicized WMF (Windows Metafile) attack, launched in December 2005, remained the top threat zero-day threat on the Web, accounting for roughly 33 percent of all the exploits it detected.
The WMF vulnerability first hit the mainstream around Christmas 2005 with a patch made public on 5 January 2006. When did the WMF bug go from being a zero-day exploit to being a "users-shoulda-patched-by-now" vulnerability? It's all about how you define the meaning of the word "go":
Exploits are a new tool being used by international cyber criminal organizations that take advantage of security vulnerabilities in common software applications such as Windows operating systems and browsers.
That's right. An "exploit" is a new tool being used by mysterious and hard-to-track international men of crime and mystery. How, oh how, will I sleep tonight? Wait, never mind.
What's most frustrating about this is that the zero-day problem certainly is real. There are people who, despite being diligent on their patching, have their PCs exploited using attacks to which no countermeasure is generally available. eWeek and XPL certainly aren't the industry's version of the Wall Street Journal or Johnson & Johnson, but the average Joe out there who reads,
Microsoft and other applications vendors require an average of two months, and sometimes up to six months, to develop patches to fix newly discovered vulnerabilities. During this time period, known as "the risk window," Internet users are unprotected against exploits. In December of 2005, for example, the Windows Metafile (WMF) vulnerability was discovered and, within days, cyber-criminals such as the CoolWebSearch gang were distributing drive-by downloads to victims' computers. There even emerged an underground exchange where exploit authors were offering to sell their crimeware code to the highest bidders.
may be drawing the conclusion that Microsoft left them exposed to the WMF issue for months... and that their safety depends on purchasing a product. Granted, Microsoft is not above reproach here, but what's really behind the press releases and the media blitz? How does XPL's SocketShield product protect users against previously-unknown bugs, particularly given the patching challenges listed above, supported by additional assertions about where protection cannot take place:
SocketShield provides a critical layer of security that complements the defenses provided by traditional security solutions. Firewalls cannot stop exploits because exploits enter through the trusted communications stream of the user’s browser connection. Anti-virus and anti-spyware applications can’t protect against exploits because they must wait for the malware code to hit the hard disk in order to detect it, and by that time most exploits have already executed their payload. Patch management systems can’t distribute a patch until the application vendor releases it. And patching as a general practice, while critical, often fails because it relies on users taking action of their own volition.
Firewalls? No good. Patching? Not enough. AntiVirus? Nice try, but the exploit's already on your hard drive (but has it executed?!). How will my precious browsing remain protected? For that, let's go to the literature once again:
With SocketShield, Thompson and his team have developed the industry's first zero-day exploit blocker. It does this by monitoring the browser's communications stream and stopping known exploits from getting past the browser. The technology is powered by Exploit Prevention Labs' patent-pending Intelligence Network, which brings together a unique combination of research techniques:
- Exploit Intelligence is an extended network of human researchers and automated probes, honeypots and search bots focused on discovering new vulnerabilities and exploit examples
- The Reputation Filter creates an intelligent filter for known and suspected exploit distribution sites.
- Community Intelligence is a community of SocketShield users who allow information about attempted exploitation of their computers to be transferred to Exploit Prevention Labs
The SocketShield Correlation Engine aggregates intelligence gained through this research, assembles it in real time, and distributes it transparently to SocketShield users, providing exploit-specific protection in minutes.
Now we have the rub: it's an application that monitors all of your browsing activity, sends some information (hopefully anonymized and with your consent) about what attacks your browser is encountering to a central repository, where data analysis is performed to quickly identify emergent threats and send updates in reaction faster than AV vendors might. Don't get me wrong - as a method, this certainly has merit (distributed computing applied to zero-day vulnerability research) and is an interesting approach. But I'm a luddite - I'll stick with my personal firewall, my WindowsUpdate, and my Firefox for now, thanks.
