Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

300-Day Attacks

Created: 30 Jul 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:47:38 GMT
Masaki Suenaga's picture
0 0 Votes
Login to vote

Some file formats are more vulnerable toexploits than others. Document and spreadsheet programs, for example,are often exploited, possibly as much because of their prevalence ondesktops as from any other reason. That said, updating them is ofteneasier precisely because of their widespread use, since updates areoften automatic or are otherwise easily obtained.

Less pervasive programs, though, are often harder to keep current. Aprime example of this is the archive format, with extensions such as.zip, .rar, etc. There are a wide number of different programsavailable for different platforms; more importantly, they havehistorically been quite vulnerable to exploits.

When security vendors discuss a newly-identified vulnerability in aprogram, there is always the hope that users have the latest version orthat they will quickly upgrade. As we all know, though, the reality isquite different. Even at the enterprise level, employees of any givencompany are often using different versions of any given program.Moreover, in this scenario, while many exploits target newly identifiedvulnerabilities, many still go after older openings.

For example, there is a RAR file that exploits an undocumented oldvulnerability existing in WinRAR 3.5. The exploit was fixed in newerversions, but the likelihood is that there are still a great number ofusers still on version 3.5 or earlier. In this case, it is not azero-day, but a 300-day attack.

The RAR file can only successfully exploit the vulnerability onWindows of a certain language version. Thus, as a security vendor, itis not enough just to test a sample file on English versions ofWindows. As these are targeted attacks, the exploit requires asuccessful combination of a particular language version of an OS and anolder version of the target application.

This RAR file contains the same virus as the Word document exploitMS06-062, meaning that there is probably a person or a group that isintentionally trying to exploit a series of old vulnerabilities withthe expectation that some users are still using a year-old, unpatchedproduct.

All this goes to show the importance of updating your programswhenever possible and, more importantly, not slipping into the falsecomfort of automatic updates. Though many hackers focus on findingexploits in newer programs, there are still vulnerabilities turning upin older versions of many programs.