twitter facebook rss

Black hats now concentrate on zero-day exploits

Posted by on July 17, 2014.

Microsoft has examined the first exploitation of known vulnerabilities in its products over the last eight years. It finds that exploits peaked in 2010 with just under 70 exploits; but has reduced dramatically since then to just 20 in 2013. It separated the exploits into three categories: zero-day, exploits, exploits appearing within 30 days of vulnerability disclosure, and exploits appearing more than 30 days after the vulnerability disclosure.

msgraphTim Rains, director of Trustworthy Computing, suggests two primary reasons for this improvement. Writing in the Microsoft Security Blog today, he says,

First… it is much harder to find and reliably exploit remote code execution vulnerabilities because of all the security mitigations layered into Microsoft software. Second, there has been increased usage of Microsoft Update and Windows Update services over the years, providing faster protection to more systems. Organizations have more sophisticated security update deployment and risk management methodologies supported by better and more efficient deployment technologies.
When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities

It seems clear from the statistics, however, that the bad guys are now concentrating on zero-day exploits. While the other two categories have declined dramatically, zero-day exploits have declined minimally and now dominate the figures.

By definition there is no specific defence against zero-day exploits. Of course, many security products claim to be able to detect and stop them through heuristic behavioural analysis, but this can never be guaranteed. Rains has two primary recommendations.

The first is always to run the latest software since that is likely to be the most robust and include a greater number of built-in mitigation techniques:

Windows 8.1, Internet Explorer 11, and Office 2013 all take advantage of improved security features that more effectively mitigate techniques that are currently being used to exploit vulnerabilities.

The second is to deploy the Microsoft Enhanced Mitigation Experience Toolkit (EMET).

EMET can be used to protect applications that run on all supported versions of Windows. The features included in EMET are specifically designed to break exploitation techniques that are currently used by attackers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_malware, News_vulnerabilities | Tags: , ,