Home > Blogs > VMware Go Blog


Zero-Day Vulnerabilities and What it Means to Your Organization

By: Jason Miller, Manager, Research and Development at VMware

For a free 30 day trial of VMware Go Pro, click here.

Note:  This is not an attack on Microsoft’s security process or vulnerabilities in their products.  Microsoft has one of the best information sharing policies that allows us to look deep into each security patch and software vulnerability.  In comparison, other vendors such as Apple and Oracle , typically only disclose very basic information on their process, vulnerabilities and patches.

There are many factors that go into classifying a zero-day vulnerability that will require an out-of-band patch release.  A zero-day vulnerability is described as a vulnerability that is actively being exploited by attackers where the vendor does not have a patch to fix the vulnerability. Understanding the types of vulnerabilities that may put your environment at risk will help you determine the level of protection that is needed across your environment.

Types of attacks
There are two different types of attacks that are factored into zero-day exploits.  The first classification is a targeted attack.  A targeted attack is a scenario where an attacker is targeting a specific company or group type.  These attacks are commonly dubbed with terms such as ‘limited’ and ‘targeted.’  A targeted attack does not affect the majority of users and the victim company typically works closely with the software vendor for investigation and a solution.

The second classification of an attack is a wide spread attack.  These attacks do not discriminate against specific companies or groups as the attack is aimed at the general public.  An example of this type of an attack is a malicious website preying on unpatched browsers or a worm attempting to exploit vulnerabilities on operating systems to create a bot network.

Targeted attacks usually do not prompt a software vendor to offer an out-of-band fix for the vulnerability as the vendor will work directly with the victim company to provide a workaround just for that company until the fix is made public.  Wide spread attacks usually prompt a software vendor to offer an out-of-band fix for the vulnerability as the general population is at risk for becoming attacked.

Understanding the type of zero-day vulnerability
There are two words that can distinguish the severity of a zero-day vulnerability that administrators should pay particular attention to – authenticated versus unauthenticated.  An authenticated attack requires an attacker to know information about the target to pull off an exploit of the vulnerability.  An example of this is a password to an account to gain access to the target system.  On the other hand, an unauthenticated attack requires no knowledge about a target system.  An example of this is a worm that exploits an operating system service without needed any information.

Is the vulnerability publicly disclosed?

A vulnerability has two ways of being disclosed, or known.  The first type is a privately disclosed vulnerability (also known as responsible disclosure).  A researcher that finds a vulnerability in a software program and only informs the software vendor about the vulnerability is a privately disclosed vulnerability.  This type of vulnerability is not widely known where attackers can research and implement attacks upon it.

The second type is a publicly disclosed vulnerability.  This type of disclosure can happen through two methods.  First, a security researcher can release the research done on a zero-day vulnerability to the public.  Second, an attacker can release the research of a zero-day vulnerability to a hacker community to share resources.  In the case of publicly disclosed vulnerabilities, the severity of the vulnerability is extreme.

Type of software or service
This is one of the most important factors of a zero-day vulnerability.  I like to make the analogy of typical attackers are a lot like sales people.  A sales person wants to find the widest range of an audience to sell to.  With this, a sales person is more likely to sell more than concentrating on a single prospect.  A typical attacker is similar in the fact that he or she wants to attack as many machines as possible to maximize results.  Today’s attacking method is looking for a result of gaining information for financial gain.  In the past, attackers typically could be seen as looking for notoriety.

Internet Browsers are the most commonly attacked software.  If an attacker can identify a zero-day vulnerability in any browser, Microsoft or non-Microsoft, the attacker can simply erect websites in hopes he/she can entice (social engineer) a person to visit the site with unpatched software to exploit their machine.

Attackers will also target any commonly used service on an operating system to carry out an attack.  Any service that has an unauthenticated vulnerability is a prime candidate for an attack.

Dealing with zero-day vulnerabilities

Monitor Vendors
Microsoft has a good track record in the software industry in regards to disclosing information around their patches and vulnerabilities.  With a Microsoft zero-day vulnerability, they will announce information when they are aware of publicly disclosed vulnerabilities and vulnerabilities that are being actively exploited.  Microsoft will publish a security advisory with the affected products, details on the effects of the vulnerability and any workarounds to help mitigate some of the risk with the vulnerability.

Other Resources
With a zero-day vulnerability, the information is spreading through many channels.  Using a resource such as the patchmanagement.org mailing list will help keep an eye on all of these active channels.  These channels are independent groups from the affected software vendor and typically provide information on how to implement workarounds provided by IT administrators that are researching the vulnerability, and any information antivirus vendors publicly release on the vulnerabilities.

Implement workarounds
At times, software vendors will supply workarounds to help mitigate the risk with vulnerabilities.  It is important to read all documentation thoroughly.  Typically, workarounds will reduce functionality on systems.  The decision on whether to implement a workaround is a risk decision that each administrator must decide.  For example, is the risk great enough to implement the workaround?  If this workaround will reduce functionality on my systems, in turn increasing the volume of support calls, but preventing a vulnerability from being exploited, is it worth implementing?  This decision is a delicate balance and there is no one answer that applies to each organization.

Antivirus
Antivirus programs are a reactionary security method.  This means, an antivirus program reacts to a virus on a system and subsequently prevents the malicious program from running.  The virus has already exploited the system and resides on the system.  Fully patching a system prevents an attacker from exploiting a vulnerability and running a malicious program (virus).  With the case of a zero-day vulnerability, a patch is not available from the vendor.  Therefore, it is absolutely critical to have an antivirus program that is up to date with the latest definition files.  Vendors, as in the case with Microsoft, work very closely with antivirus vendors to help combat the viruses and malware that target zero-day vulnerabilities.

Not all zero-day vulnerabilities have out-of-band patches
An out-of-band patch is quite rare when it comes to patching vulnerabilities.  Some of the vulnerabilities on a given Patch Tuesday could already have active attacks against them.  A decision on whether or not to release an out-of-band patch is completely in the hands of the software vendor. Some of the determining factors software vendors will take into account when determining to release an out-of-band patch include:
Is it close enough to our normal release cycle to wait on the patch release?
Are the attacks limited or targeting?
Are there more and more malware samples being created each day?
Will the quality of the accelerated patch break functionality?

Microsoft Vulnerability History
Since January 2010 through this September Patch Tuesday release, Microsoft has addressed 606 vulnerabilities in their products.

~15% of these vulnerabilities were publicly known
~4% of these vulnerabilities were actively exploited

As you can see below, the number of known and actively exploited has remained constant since 2010.  (Note:  2012 is an incomplete year with only partial data)

Year

Total Vulnerabilities

Publicly Known Vulnerabilities

Actively Exploited Vulnerabilities

% Known

% Exploited

2010

93

16

3

~17%

~3%

2011

212

35

7

~17%

~3%

2012

125

19

8

~15%

~6%

Today, we will see an out-of-band patch release from Microsoft.  I will be talking in detail about Microsoft’s history of out-of-band patch releases as well as the new out-of-band patch and how it could protect your network environment.

 

To learn more about VMware Go Pro, please visit go.vmware.com.

You can also access a free 30 day trial of VMware Go Pro here.

2 thoughts on “Zero-Day Vulnerabilities and What it Means to Your Organization

  1. Pingback: The Meaning of Out-of-band Patches and Their Microsoft History | VMware Go Blog - VMware Blogs

  2. Greg Bussmann

    Jason, this is great work. This is the best post I have seen on the topic, and any IT admin would be well-served by reading it.

    Keep up the good work.

    Greg Bussmann

Comments are closed.