- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - With cybercrime hitting more than 500 million victims globally and costing $100 billion annually, it’s clear that security breaches are a problem very far from being solved. One particularly dangerous threat that doesn’t seem to be getting its fair share of attention is zero-day attacks.
True, zero-days are just one part of the overall threat landscape. However, virtually everyone is at risk from a zero-day attack. And the threat from zero-day vulnerabilities occurs long before vendor or public discovery, and remains active long after patches are released.
Kasper Lindgaard, head of research at Secunia, explains that “a zero-day vulnerability is a vulnerability that has only been discovered by hackers. The vendor does not yet know of the vulnerability and therefore has not developed a patch for it. In contrast, a general vulnerability is disclosed by the vendor who typically has a patch ready.’’
Zero-day attacks can affect just about any user. These attacks arrive through different vectors, including viruses, e-mail attachments, webpages, pop-up windows, instant messages, chat rooms, as well as by social engineering or other types of deception.
Satnam Narang, security response manager at Symantec, says, “Recently we’ve seen a lot of zero-day vulnerabilities in web browsers, as well as in third party applications required to run on some websites. For instance, vulnerabilities in WordPress allowed attackers to inject malicious code into WordPress-based websites. That malicious code takes you to a webpage that will direct you to an exploit kit that will target a vulnerability in a third-party application in your machine such as Flash, Java or your browser.”
(Shootout results: Best security tools for small business)
Scott Gerlach, director of information security operations at Go Daddy, adds, “You see the growth of attacks targeting websites because they’re easy to reach and because there are millions of them; the footprint of what you can attack is huge.” Today, that represents 2.4 billion Internet users.
Zero-Days by the numbers
Leyla Bilge and Tudor Dumitras of Symantec Research Labs released a study last fall based on four years of data from 11 million real-world hosts around the world. They found that zero-day attacks last on average 312 days, hitting multiple targets worldwide.
In some cases the attacks remained undiscovered for up to 2½ years. Even after the vulnerabilities are disclosed, the number of attacks exploiting them skyrocket as much as five orders of magnitude. Even more frightening -- one in ten patches have security bugs of their own.
Why zero-day attacks remain dangerous after a patch is issued
Just because a zero-day vulnerability is patched by the vendor does not mean the threat is gone. Gerlach pointed out that “most users don’t update Java regularly and it seems like every updated version of the Java runtime engine has some kind of zero-day workaround to whatever they fixed in the previous version. As a result, just by visiting any number of websites, systems get infected with a Java attack that is a new zero-day as well as revived former zero-days and they have little way to protect themselves other than not running Java”.