0-Days Not As Big of a Threat as You Think

[dw426]

"It's time for a bit of a reality check regarding the "zero-day" bogeyman. It makes for great headlines, but a new report from Microsoft shows that the frightening menace of the zero-day is more urban myth than reality."

http://www.pcworld.com/businesscente...html#tk.hp_new

Just as I've believed and said before, 0-days just aren't that big of a deal.

[Dark Shadow]

IMO,Its just scare tactics to try to get people to spend there money and bloat there pc to dealth with security software.

[Hungry Man]

Let's make this very clear... the article is talking about zero-day exploits and not zero-day malware.

It's fairly well known that you're more likely to be exploited by an out of date plugin/ browser because of KNOWN vulnerabilities.

But most malware infections are probably from 0day malicious files.


The reason people talk about 0days so much is pretty clear, they're unknown. Defending against known exploits is often as easy as updating your software. Defending against unknown exploits means creating strong policies etc and hoping for the best.

I read the article a few days ago and didn't think much of it. 0days should definitely be taken seriously whether malicious files or exploits.

[Dark Shadow]

Have no fear sandboxie is here and a change of under wear in case my pc gets soiled.

These statements seem to sum it up nicely...

Quote:

The reality is that known vulnerabilities--often vulnerabilities which have been identified and had patches available for months--are a much bigger threat to your network and your PCs than the new proof-of-concept exploit some security researcher developed in a lab this morning.

Quote:

While the "zero-day" may not be urgent now, the fact that a security researcher has discovered and disclosed the flaw means that attackers are now aware of it as well. It may have been less of a concern previously, but once the flaw is public the race is on to patch it before malware developers actually do figure out how to exploit it.

[1chaoticadult]

I don't take any 0-day serious. I take my security policy instead.

[Hungry Man]

Policy in windows isn't strong enough for me to feel confident.

Maybe Protogon filesystem will help with permissions idk

[noone_particular]

Zero day exploits and the malware they deliver is only a threat on systems where they're allowed to execute, aka systems relying on conventional default-permit based security apps. A zero day exploit is meaningless if it can't deliver a functional malicious payload. Of course the security app vendors won't tell you this. There's no profit in default-deny based security.

[cozumel]

Quote:

Originally Posted by Hungry Man

Defending against unknown exploits means creating strong policies etc and hoping for the best.

Running virtual machine within your OS and running sandboxie within the vm would still not prevent potential attack from unknown exploit as anything is vulnerable if the malware is well designed and targets specific vulnerability.

Being prepared, aware and having robust procedures is all we can do. I like to think that that is more than 'hoping for the best' and keeping your fingers crossed lol

[m00nbl00d]

Quote:

Originally Posted by Hungry Man

Policy in windows isn't strong enough for me to feel confident.

Maybe Protogon filesystem will help with permissions idk

After November (day 3), things will be safer for AppLocker users.

[dw426]

Quote:

Originally Posted by Hungry Man

Let's make this very clear... the article is talking about zero-day exploits and not zero-day malware.

It's fairly well known that you're more likely to be exploited by an out of date plugin/ browser because of KNOWN vulnerabilities.

But most malware infections are probably from 0day malicious files.


The reason people talk about 0days so much is pretty clear, they're unknown. Defending against known exploits is often as easy as updating your software. Defending against unknown exploits means creating strong policies etc and hoping for the best.

I read the article a few days ago and didn't think much of it. 0days should definitely be taken seriously whether malicious files or exploits.

Well, I disagree. The article reports that zero-day exploit threats are practically nil. So, even a zero-day malware piece that is designed to exploit a vulnerability that is no longer there, is also non-threatening. Besides, I have not seen, in all my years of computing that many true "zero-day" malware. The vast majority of malware that is "new", is nothing more than tweaked versions of already familiar malware. I really don't care that security companies come out with their scare reports. I only care about what is in the wild and a real threat to users.

I'm sorry, but security companies pull in millions/billions a year playing the same game the "Haunted House" industry does, which is scare the hell out of you.

[1chaoticadult]

Quote:

Originally Posted by dw426

I'm sorry, but security companies pull in millions/billions a year playing the same game the "Haunted House" industry does, which is scare the hell out of you.

That trick only works on the ill-informed.

[m00nbl00d]

Quote:

Originally Posted by dw426

Well, I disagree. The article reports that zero-day exploit threats are practically nil.

The question is: In whom to believe?

A few weeks ago, Google released a report stating otherwise. Who's being the big liar? Google? Microsoft?

Quote:

So, even a zero-day malware piece that is designed to exploit a vulnerability that is no longer there, is also non-threatening.

A zero-day exploiting a patched vulnerability is not dangerous, of course. But, the same zero-day will remain dangerous as long as many systems and applications run unpatched, and that is, unfortunately, a reality.

But, if exploits aren't, and never were, that much of a threat, then why does Internet Explorer have a sandbox? Why sandboxing something that isn't a threat? I suppose Microsoft will take it away with IE10?

[Rmus]

Quote:

Originally Posted by noone_particular

Zero day exploits and the malware they deliver is only a threat on systems where they're allowed to execute, aka systems relying on conventional default-permit based security apps. A zero day exploit is meaningless if it can't deliver a functional malicious payload. Of course the security app vendors won't tell you this. There's no profit in default-deny based security.

The Stuxnet worm is a good example. To install its payload, it used 1 - 4 Zero-day exploits (depending on how you define Zero-day).

INFILTRATING CRITICAL INFRASTRUCTURES
http://www.aisec.fraunhofer.de/conte...ie_stuxnet.pdf

Quote:

W32.Stuxnet is initially delivered to a PC via a dropper executable, which wraps a
relatively large (approximately 1.5 MB) dll file containing many hidden resources,
exports, and two configuration files.

A secure Default-Deny Policy stops Stuxnet cold.

A Policy doesn't always mean a product. In the original targeted scenarios, no extra security product was required:

Quote:

W32.Stuxnet most likely used a spreading mechanism via portable
storage devices (e.g., USB drives). This was already a preferred propagation
method many years ago (e.g., floppy disks), when the transport via infected
portable media was the only channel to reach a large group of computer systems.
Combining these techniques with the abuse of Windows autorun functionalities
was also quite common.

Shortly after the emergence of the LNK exploit, I happened to meet someone who is system administrator overseeing 300+ computers. He said that they had a Group Policy whereby no executables can run/load from external media on the work computers.

End of Exploit -- Zero-day or not, it didn't matter.

regards,

-rich

[Rmus]

Quote:

Originally Posted by m00nbl00d

But, if exploits aren't, and never were, that much of a threat, then why does Internet Explorer have a sandbox? Why sandboxing something that isn't a threat?

No sane person will deny that exploits are a threat.

I've contended in the past that a Sandbox is a fail-safe device to contain the malware payload that is permitted to execute and get by the perimeter defense.

Nothing wrong with that at all, but not necessary if you feel secure with your Policies and Procedures that prevent the exploit from running in the first place.

Example: Adobe's Sandbox.

With the browser properly configured, the malicious payload will never make its way into the Sandbox because the code embedded in the web page will not be able to execute its commands to drop the payload executable.

Regards,

-rich

[Sully]

I think most everyone can agree that there are very real threats lying about. Whenever I see this sort of talk, it usually reminds me that I do need to have a set of protocols and tools in place, because threats do exist - but it also reminds me that I am very happy to be out of that "business model".

There have been various threads here over the years about whether an average user should have to make any decisions (become educated) or not. I don't think it is too outlandish to suggest that if there is no education, then they are merely a piece of the security business model. And like all businesses, you must have demand to sell your supply. Are reports and talk of 0-day threats fact or fiction?

Well, they are both. Some reports seem rather obvious (at least to me) due to the sensationalism they depict (the world is doomed, unless you use our product) and others seem to downplay it as an non-existent threat.

That is why I say users who really want "freedom" need to be educated. There are pitfalls out there, but you have to understand them to avoid them. And the pitfalls are not only viruses/malware/trojans, but also really crappy software that you have to buy, or freeware that just sucks. The amount of knowledge needed of course will vary greatly, but lack of any knowledge or sticking your head in the sand both seem illogical to me.

Sul.

[noone_particular]

Sandboxing is necessary to contain code that shouldn't have been allowed to execute in the first place. IMO sandboxing should be regarded as a 2nd line of defense. It should be used to contain legitimate attack surface applications in order to protect the rest of the system from code embedded in the files, media, etc that these apps open, a malicious PDF for instance. Other non-whitelisted executables, should never get that far. Running unknown executables in a sandbox keeps the user in a continual arms race with those who write that code. Eventually, someone breaks the containment, the sandbox gets patched, and the cycle repeats. It's the usual penetrate and patch routine, the same reactive policy that results in casualties and/or damage before the patch is released.

Quote:

A Policy doesn't always mean a product. In the original targeted scenarios, no extra security product was required:

Very true. There's several ways to implement a default-deny policy, just as there's several ways to sandbox your attack surface, eg a sandbox app, virtual system, system policy, 3rd party HIPS rules, etc. What the user chooses is largely a matter of preference and trust. Myself, I don't trust Microsoft's built in tools to control the OS components, no matter how well it controls other software. That aside, for exploits that target the attack surface and malicious code contained in legitimate appearing files, how you sandbox them is not particularly important, as long as you do.

[Hungry Man]

IDK why anyone is talking about sandboxing like it can't be policy.

Anyways,

Quote:

Well, I disagree. The article reports that zero-day exploit threats are practically nil. So, even a zero-day malware piece that is designed to exploit a vulnerability that is no longer there, is also non-threatening. Besides, I have not seen, in all my years of computing that many true "zero-day" malware. The vast majority of malware that is "new", is nothing more than tweaked versions of already familiar malware. I really don't care that security companies come out with their scare reports. I only care about what is in the wild and a real threat to users.

Yes, 0day exploits are not a huge deal.

But let's not forget:
http://www.adobe.com/support/securit...apsa11-01.html
or even:
http://www.zdnet.com/blog/security/a...-the-wild/1189

0-day exploits happen... and they're taken advantage of. They're not always in the OS but they DO happen. Uncommon or not they are absolutely not something to be scoffed at, again because it's so difficult to protect yourself against them.

As for security companies and scare reports, idk about that. Considering that most security software absolutely fails to deal with 0days I don't think they'd focus much on that!

Now to focus on this:

Quote:

Besides, I have not seen, in all my years of computing that many true "zero-day" malware. The vast majority of malware that is "new", is nothing more than tweaked versions of already familiar malware.

I don't see your point.

Zero-day malware does not have to use exploits, it can be entirely socially engineered. It also can be a simple update to an older piece of malware to move around heuristics/ blacklists.

It's still 0day and most of the malware you run into probably hasn't existed for more than a few days. That's not always the case, but there are hundreds of new malicious files (updates or not they're 0day malicious files) and they DO get spread around a ton.

Again, Microsoft is talking about exploits... not files. 0day files are actually what I'd say they consider to be the huge threat here. Consider smartscreen, the idea is to stop new files from being downloaded without the users knowledge. It's aimed at NEW socially engineered malware.

And as was brought up by someone above this is a report my Microsoft. We've seen just as fancy reports by Google and we've seen reports by others contradicting them. There are so many arguments both ways I personally have no clue anymore.

On the one hand you've got Google, a company with more information on the web than nearly any other. Then we have Microsoft, a tech giant with more Windows-specific information than anyone else.

Personally, I only care about 0day exploits. It's the only thing that's really just "out of my hands."

[LoneWolf]

Quote:

Originally Posted by dw426

Just as I've believed and said before, 0-days just aren't that big of a deal.

Believe what you want, I'd rather be safe then sorry.

Quote:

Originally Posted by Rmus

No sane person will deny that exploits are a threat.

I've contended in the past that a Sandbox is a fail-safe device to contain the malware payload that is permitted to execute and get by the perimeter defense.

Nothing wrong with that at all, but not necessary if you feel secure with your Policies and Procedures that prevent the exploit from running in the first place.
-rich

Couldn't agree more.

Quote:

Originally Posted by noone_particular

Sandboxing is necessary to contain code that shouldn't have been allowed to execute in the first place. IMO sandboxing should be regarded as a 2nd line of defense. It should be used to contain legitimate attack surface applications in order to protect the rest of the system from code embedded in the files, media, etc that these apps open, a malicious PDF for instance. Other non-whitelisted executables, should never get that far. Running unknown executables in a sandbox keeps the user in a continual arms race with those who write that code. Eventually, someone breaks the containment, the sandbox gets patched, and the cycle repeats. It's the usual penetrate and patch routine, the same reactive policy that results in casualties and/or damage before the patch is released.

Very true. There's several ways to implement a default-deny policy, just as there's several ways to sandbox your attack surface, eg a sandbox app, virtual system, system policy, 3rd party HIPS rules, etc. What the user chooses is largely a matter of preference and trust. Myself, I don't trust Microsoft's built in tools to control the OS components, no matter how well it controls other software. That aside, for exploits that target the attack surface and malicious code contained in legitimate appearing files, how you sandbox them is not particularly important, as long as you do.

Well said.
Some form of sandbox/containment/default deny policy is IMO a very wise decision, and will always be a part of my setup.

[CogitoTesting]

Quote:

Originally Posted by djohn

Have no fear sandboxie is here and a change of under wear in case my pc gets soiled.

Oh my gosh, you are quite poetic. .

Thanks.

[noone_particular]

Quote:

IDK why anyone is talking about sandboxing like it can't be policy.

I did say it.

Quote:

just as there's several ways to sandbox your attack surface, eg a sandbox app, virtual system, system policy, 3rd party HIPS rules, etc.

I run a policy sandbox. The main difference is that it's enforced as much by HIPS as it is by the built in tools.

[Hungry Man]

Ah, well there we go.

[Dark Shadow]

Quote:

Originally Posted by CogitoTesting

Oh my gosh, you are quite poetic. .

Thanks.

Not really but thanks.

[TonyW]

Quote:

Originally Posted by Hungry Man

But most malware infections are probably from 0day malicious files.

And many of those are on sites which some of us don't come into contact with, unless you make a point of visiting malc0de, MDL or similar where they're listed there. And often not for long either.

[Hungry Man]

Most of those sites you visit via malware domain respositories are often opened up in an iframe and then linked via javascript to a hacked and legitimate domain.

I believe that was the case with mysql.com

http://blog.sucuri.net/2011/09/mysql...t-malware.html

http://www.pc1news.com/news/0082/web...-websites.html

ebsense Security Labsâ„¢ Report: Majority of Malware Being Spread Through Legitimate Websites

Quote:

The results of the study have shown that, as it was predicted, the amount of compromised websites during the first half of 2008 continued to grow and surpass the number of created malicious websites. To be more precise, the amount of infected websites increased by more than 50 percent during the first six months. 75 percent of websites with malicious code are in fact legitimate sites, having "good" reputation.