The New Zero-Day
Many years ago, almost all vulnerabilitieswere a “zero-day” style in some respect. Vendors did not, for the mostpart, talk about security defects in their products and in fact,several chose not to address them at all. Information about ways tobreak into systems remained primarily in the hands of the attackers.Things began to change in the mid-90s, when the discussion of securitybugs became more widespread. Vendors started to participate moreactively in the dissemination of protective information with the goalof enabling their customers to defend their digital assets. Variouscommunities sprouted up to facilitate this discussion, vendors set upsecurity-alert mailing lists and Web sites, and the general awarenesslevel of computer security was raised substantially. During this timethere were, of course, those who still chose to keep vulnerabilityinformation to themselves for their own purposes, but the overalldiscussion of these issues was open and frank. Flaws were discovered,publicized, and patched. Many otherwise unpublicized vulnerabilitieswere discovered by reverse engineering a widespread attack. However,this scenario may all be changing once again.
For thethird time in as many months, Symantec has discovered a targeted attackthat makes use of a previously unpublicized flaw in Microsoft Office.These attacks do not appear to be a part of a coordinated globalcampaign, nor have we seen exactly the same attack attempted againstmore than one target for each instance. These attacks cannot bedetected by analyzing large traffic patterns or voluminous intrusiondetection signatures (IDS) and firewall logs. They won’t grab anyone'sattention, certainly not when compared to the sea of other securitysoftware and hardware output.
Due to the proliferation of fuzzing tools, combined with thefinancially motivated nature of most network attacks, we can expectthis trend in attacks to continue. It seems that attackers can nowassume that if they have discovered a previously unknown flaw, it isquite likely that their target will not be protected against it.Fuzzing tools automate (to a large degree) the discovery of such flaws,to the extent that this knowledge can be considered an expendableresource. If an attack vector is discovered, and future targets arethen protected against a particular type of attack, it won’t be longbefore more vectors are found to replace them.
Thankfully, there are a few things we can keep in mind in order toprotect ourselves. These steps still read like they fell off of a pagefrom a “best practices” book, but maybe they aren’t the ones that wouldhave made it onto Page 1:
1: Run all applications at the lowest possible level of privilege.
2: Block or quarantine unneeded attachment types from outside thecorporate network, and when exceptions are required, make them on auser-by-user basis at both ends.
3: Monitor and block unexpected outbound communications from client workstations.
4: Deploy host-based intrusion detection systems.
5: Develop user education and policies that are enforceable (and actually enforced).
However, when all is said and done, it is apparent that this type ofattack activity will continue. I doubt that these in-the-wilddiscoveries will ever eclipse the volume of vulnerabilities that arediscovered and disclosed by responsible researchers, but they are stillthere and should be a concern for anyone responsible for networkprotection.