Tuesday, 22 March 2011

The eEye 0-Day Watchlist

Many thousands of vulnerabilities have been discovered in software products over the years, and there are huge resources of example code and exploit information online, regarding many of these issues.

A good proportion of these issues have been patched/fixed over the years, so as long as a company has a very effective patch-management program, and software management systems, for all the software they use (which is surprisingly rare) fixed vulnerabilities "should" not pose a threat

However, there is a class of vulnerability that is very difficult to mitigate, the 0-Day exploit.

0-Day exploits can be either public (widely known about, often with example code in the public domain) or private (only know about by a few people; the vendor, security researchers, or hackers)

Vulnerabilities are probably at their most challenging when they are 0-Day with code examples in the public domain. I.e, many people have access to use the exploit, but there is no solution available from the software vendor, yet.

This eEye site offers a good resource to keep track of some of the most serious issues involving 0-Day vulnerabilities from some of the worlds biggest software vendors:

http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker

This represents only a small fraction of the exploits published each day, but focuses on some of the most serious (because of the wide deployment of the software involved) so this information is worth keeping an eye on.

(this list continues...)

As you can see if you look through the list, and drill into the details, many of these issues involve remote code execution, privilege escalation, or information disclosure.

There is a good mix of major vendors in there, but at the time of publishing this list was heavily populated by Microsoft issues (which is generally the norm).

Here is some further research to show how 0-Day exploits can overlap (in this case in Internet Explorer, during 2006) which could provide sophisticated hackers with almost continuous and unmitigated access to exploit users and systems.

http://www.washingtonpost.com/wp-srv/technology/daily/graphics/index20070104.html

Though this is out of date, this is a rather interesting analysis (and probably took a good bit time to put together, so worth taking a look at).

If you were to look at all the client-side exploits from different vendors, for a typical desktop system, you could probably map-out a continuous set of exploits that make the system potentially vulnerable 24/7, 365 days a year.

Defense in depth seems to be the only solution that keeps these issues under control; with anti-virus, firewalls, content-security, network monitoring, privilege-management, password-management, patch-management, configuration control and encryption being the key elements. In short, these software flaws cost a lot of money to mitigate.

No comments:

Post a Comment