Categories: HackingSecurity

Wrong response to zero day attacks exposes to serious risks

Recent revelations on Flame case raise the question on the efficiency of “zero day vulnerabilities“, software bugs that hackers exploit to avoid security defenses of target systems. The real problem when we talk about zero-day is related to the duration of the period in which hackers exploit the vulnerability before world wide security community respond applying needed countermeasures. I desire to share with you the results related to an interesting study of a couple of researchers, Leyla Bilge and Tudor Dumitras from Symantec Research Labs, titled “Before We Knew It … An Empirical Study of Zero-Day Attacks In The Real World”.

The experts explained how the knowledge of this type of vulnerabilities gives governments, hackers and cyber criminals “a free pass” to exploit every target remaining undetected. The study explains how is it possible to identify 0-day attacks automatically from eld-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Typical zero-day attack has an average duration of 312 days and once publicly disclosed it is observable an increases of 5 orders of magnitude of the volume of attacks.

The lifecycle of a zero-day vulnerability is composed by the following phases:

Vulnerability introduced.
Exploit released in the wild.
Vulnerability discovered by the vendor.
Vulnerability disclosed publicly.
Anti-virus signatures released.
Patch released.
Patch deployment completed.

The researchers illustrated an alarming scenario, 60% of the zero-day vulnerabilities identified in the study were unknown, the data suggest that there are many more zero-day vulnerabilities than expected and the average proposed for the zero-day vulnerability duration maybe underestimated due the disclosure of flaws dated 2010.

Zero Days attacks appear different from massive malware infection, they usually exploit a limited number of hosts representing the targets, the majority of the exploits in study impacted only few machines.

The discovery of zero day vulnerabilities seems to be a prerogative of state-sponsored attacks, similar flaws could be exploited to conduct stealthy attacks against other governments, let’s think to the recent cyber espionage campaigns.
Around the concept of “zero-day” it is born a market in which the governments are primary actors with the hackers specialized in this kind of researches. The role of hacker it totally changed, I don’t understand why it could not change also the way to manage these the vulnerabilities.

What are the main approaches to the manage a zero-day vulnerability?

One option is the immediate disclosure of the information relative to the vulnerability, “full disclosure,” which, however, has a side effect the explosion of attacks that exploit the flaw identified.
Diametrically opposite approach is to inform only the companies producing applications targeted, this approach, however, is not always well managed by the same companies, in fact, often spend months before they release a patch suitable for the resolution of the problem.

It’s clear that such vulnerabilities are unavoidable and are difficult to detect, but the management process for the implementation of necessary patches should be completely revised. The proposed “full disclosure” approach in my opinion is not practicable, but alternative approach needs a proactive response of software producers.

It should be instituted a sort of register of vulnerabilities that have to be managed by the authorities. Once enrolled a vulnerability to the register, it is responsibility of companies to proceed with the development of a patch as soon as possible to avoid the application of sanctions.

The software companies have responsibilities for their products and for the production of related patches. We have discovered that exploiting a zero day vulnerability it is possible to attack a critical infrastructure with serious impact on a population of a country.

My assertion is a provocation of course, I desire to express the disappoint to a wrong attitude in the management of recent vulnerabilities that has had a significant impact in several areas.

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.