Despite making up a relatively small percentage of overall malicious activity online, zero-day exploits are among the most treacherous issues facing many organizations. Such issues often take a long time to generate notice, and even after they are fixed many users remain at risk. Several new approaches are taking on the challenge of protecting against zero-day threats in innovative ways, but the most effective form of security is prevention through the use of tools such as static analysis software.
According to a recent blog post by Eugene Kaspersky, founder of Kaspersky Labs, Trojans account for approximately 83 percent of online threats, while just 10 percent are due to exploits. As a result, software security vulnerabilities can be a tempting issue to overlook. However, since many Trojans take advantage of exploits and the rate of successful attacks from exploits is substantially higher, the actual threat of a zero-day is comparable. Zero-day attacks can arrive through persistent targeting and social engineering or simple drive-by downloading, and the growing number of Internet users – the total is now 2.4 billion – is only making such threats more common, according to a recent Network World article.
“You see the growth of attacks targeting websites because they’re easy to reach and because there are millions of them; the footprint of what you can attack is huge,” Scott Gerlach, director of information security operations at Go Daddy, told Network World.
The challenges of fighting zero-days
A 2012 Symantec study found that the average zero-day attack goes unpatched for 312 days, or approximately 10 months, and some last as long as two and a half years. Additionally, the moment a vulnerability is publicly announced, exploits for it increase at an exponential rate. Compounding the problem is that many patches – one in 10, on average – themselves contain security flaws, Network World noted. In some cases, exploits are even disguised as fake patches.
More recently, security experts have warned that users’ slow or noncommittal responses to patch releases means that many zero-day vulnerabilities have an impact that extends far beyond the vendor’s fix. Of 1.1 billion Java users, for instance, 93 percent do not have the latest version, Network World reported. As a result, threats continue to proliferate, Gerlach told the publication.
Several security vendors have responded to the threat of zero-day exploits with new solutions, Network World reported. One company, VisiTrend, has created a data visualization program that helps administrators spot behavior indicative of zero-day exploits, while another, Sampan Security, has created a type of firewall for the blocking the type of low-level system changes most malware needs to carry out to run automatically. Kaspersky highlighted his own firm’s solutions, which identify patterns common from previous attacks. However, he also noted that the potential for exploits often exists even where no in-the-wild attacks have been identified.
“What’s important is that if a vulnerability in a specific program isn’t found – that doesn’t mean it doesn’t exist,” he wrote. “It only means that (i) it’s used by too few folks for a vulnerability to be found by mistake, or (ii) it’s so insignificant a program that it’s not worth the bother (of the cyber-baddies) digging into it to search for mistakes.”
Rather than relying on lack of interest on the part of hackers or the protection of emerging defensive tools, the best approach for many organizations looking to avoid attacks from zero-day exploits is to ensure such software security vulnerabilities never reach production. Using tools such as static analysis software as part of a secure development lifecycle, organizations can catch errors while coding and build more robust programs. With thorough source code analysis, software can be built to contain fewer exploitable flaws, thereby diminishing risk.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.