“Chishiki” is Japanese for “knowledge.” e-chishiki.com aims to bring software developers, information security professionals, IT executives and other IT pros a rich body of knowledge in the form of articles, interviews, tutorials and technical discussions. Our contributors are among the biggest names in the Indian IT industry and include noted authors, educators and practitioners.
Weekly Column - Web Application Attacks
Zero Day Exploits - A Volcano Waiting to Erupt
Vijay Mukhi
Zero Day Exploits - A Volcano Waiting to Erupt
Hackers write exploits in response to vulnerabilities that they detect in software. Armed with these exploits, they attempt to take full control of systems. Theoretically, if no vulnerabilities existed in software, then there would be no exploits. But that’s being too farfetched and day-dreaming.
A zero day exploit is one for which no patch is available. Since it takes a third-party a couple of days to come out with a patch or a fix for the product, in the meantime an attacker can go on a rampage exploiting computer systems with the exploit. Hackers take it up as a challenge to develop zero day exploits.
When a bug is found, programmers are asked to work day and night and circulate a patch for the product immediately. However, the users must install the patch to secure their systems. In the initial stages, when a user would learn about a patch from his software vendor, he would install the patch immediately. One can do this for the first 100 patches, but at some point fatigue certainly steps in. Thus one delays the application of the patch for a rainy day that never comes.
The intruder is smart enough to understand this psyche of the user. So when a patch is released, he simply reverse engineers the patch to understand the vulnerability and creates an exploit. An attack is then launched on a massive scale and a large number of un-patched systems are compromised. A patch or a fix consists of changing some bytes or code in an executable program or software library. The attacker generally takes advantage of the weak code and creates automated tools to attack un-patched systems.
Patch-Tuesday and Exploit-Wednesday
Microsoft used to come out with patches for security issues the moment they were detected. In the meantime, the attackers would simply create an exploit for the defect and attack systems on a large scale as most people would not patch their systems. Microsoft then decided not to disclose the vulnerabilities immediately. Instead, the company introduced a concept of ‘Patch-Tuesday’ where it would release security patches and fixes every second Tuesday of the month for the defects detected in the month. To counterattack the same, the attackers came out with ‘Exploit-Wednesday’.
This also turned counter-productive as a boot process was required after the monthly patches were installed. Servers had to be shut down for the booting process and lost good business. Microsoft now has an update icon which informs the user about the new updates and allows them to install the patches at the time most convenient for them. However, a reboot is mandatory for most patches.
Patches can be dangerous as often systems will stop working after they have been patched. So it is advisable to apply a patch to a single computer, test it thoroughly and then and only then apply the patches to all computers on the network.
IRC - channel for exploit distribution
For obvious reasons, information on zero day exploits is not published in any magazine or publication. Also, companies do not generally report having been targeted by exploits either. If one scans the Internet for security stories, one rarely reads about zero day exploits successfully conducted on different sites. If, however, one walks into a chat room or other parts of the Internet underground basement, one will find people selling these exploits and many more for prices ranging from tens to hundreds of dollars. What more disturbing is that it’s become a global activity as these teenaged hackers are based in different parts of the world who may not even speak English. It’s a challenge to write these exploits and these hackers are making good money out of it.
The exploits nowadays are targeted at financial institutions. It is not a comfortable feeling knowing that one’s system is being attacked by the loopholes in the paid software written by third party vendors and one can do nothing about it. What’s more annoying is that data, passwords, and bank account information, etc. is being compromised just for fun or to win some challenge. Zero day exploits have made sure that a criminal is never convicted of committing any cyber crime.
Preventive measures
It must be taken for granted that there will be bugs in software and unless and until they are spotted no antidote will be released for them. Therefore, it would be wise to hire an ethical hacker who can spot these bugs before the product reaches the market. Companies must have an in-house hacker. This will save money in the long run, because the costs that stem from an outside intrusion are extremely high, plus there is no guarantee that the systems are protected from the next incursion. As such, preventative hacking is the way to go.
Secondly, the gap between bug detection and patch release cannot be wide. Releasing a patch once in a month is irrational as the attacker would have by then had a ball of a time breaking into systems. There should be new norms set for the virtual age plus there must be zero tolerance for zero day exploits.
Next, the resident security expert must conduct regular training programs on security for his programmers and keep them abreast of newer security threats and challenges to software. On all systems patches must be installed immediately after being released and they must be clean of all rootkits and malware. Easier said than done !
Microsoft insists all programmers be vigilant and follow the security development life cycle to reduce security bugs in software.
And finally, software companies must be held responsible for the losses incurred or the damage caused to the their clients because of the bugs in their products.
