0-Days Not As Big of a Threat as You Think

"It's time for a bit of a reality check regarding the "zero-day" bogeyman. It makes for great headlines, but a new report from Microsoft shows that the frightening menace of the zero-day is more urban myth than reality."

http://www.pcworld.com/businesscent...e_your_children_its_a_zero_day.html#tk.hp_new

Just as I've believed and said before, 0-days just aren't that big of a deal.

 

IMO,Its just scare tactics to try to get people to spend there money and bloat there pc to dealth with security software.

 

Let's make this very clear... the article is talking about zero-day exploits and not zero-day malware.

It's fairly well known that you're more likely to be exploited by an out of date plugin/ browser because of KNOWN vulnerabilities.

But most malware infections are probably from 0day malicious files.


The reason people talk about 0days so much is pretty clear, they're unknown. Defending against known exploits is often as easy as updating your software. Defending against unknown exploits means creating strong policies etc and hoping for the best.

I read the article a few days ago and didn't think much of it. 0days should definitely be taken seriously whether malicious files or exploits.

 

Have no fear sandboxie is here and a change of under wear in case my pc gets soiled.

 

These statements seem to sum it up nicely...

 

I don't take any 0-day serious. I take my security policy instead.

 

Policy in windows isn't strong enough for me to feel confident.

Maybe Protogon filesystem will help with permissions idk

 

Zero day exploits and the malware they deliver is only a threat on systems where they're allowed to execute, aka systems relying on conventional default-permit based security apps. A zero day exploit is meaningless if it can't deliver a functional malicious payload. Of course the security app vendors won't tell you this. There's no profit in default-deny based security.

 

Running virtual machine within your OS and running sandboxie within the vm would still not prevent potential attack from unknown exploit as anything is vulnerable if the malware is well designed and targets specific vulnerability.

Being prepared, aware and having robust procedures is all we can do. I like to think that that is more than 'hoping for the best' and keeping your fingers crossed lol

 

After November (day 3), things will be safer for AppLocker users.

 

Well, I disagree. The article reports that zero-day exploit threats are practically nil. So, even a zero-day malware piece that is designed to exploit a vulnerability that is no longer there, is also non-threatening. Besides, I have not seen, in all my years of computing that many true "zero-day" malware. The vast majority of malware that is "new", is nothing more than tweaked versions of already familiar malware. I really don't care that security companies come out with their scare reports. I only care about what is in the wild and a real threat to users.

I'm sorry, but security companies pull in millions/billions a year playing the same game the "Haunted House" industry does, which is scare the hell out of you.

 

That trick only works on the ill-informed.

 

The question is: In whom to believe?

A few weeks ago, Google released a report stating otherwise. Who's being the big liar? Google? Microsoft?

A zero-day exploiting a patched vulnerability is not dangerous, of course. But, the same zero-day will remain dangerous as long as many systems and applications run unpatched, and that is, unfortunately, a reality.

But, if exploits aren't, and never were, that much of a threat, then why does Internet Explorer have a sandbox? Why sandboxing something that isn't a threat? I suppose Microsoft will take it away with IE10?

 

The Stuxnet worm is a good example. To install its payload, it used 1 - 4 Zero-day exploits (depending on how you define Zero-day).

INFILTRATING CRITICAL INFRASTRUCTURES
http://www.aisec.fraunhofer.de/content/dam/sitmuc/en/pdf/studien/studie_stuxnet.pdf

A secure Default-Deny Policy stops Stuxnet cold.

A Policy doesn't always mean a product. In the original targeted scenarios, no extra security product was required:

Shortly after the emergence of the LNK exploit, I happened to meet someone who is system administrator overseeing 300+ computers. He said that they had a Group Policy whereby no executables can run/load from external media on the work computers.

End of Exploit -- Zero-day or not, it didn't matter.

regards,

-rich

 

No sane person will deny that exploits are a threat.

I've contended in the past that a Sandbox is a fail-safe device to contain the malware payload that is permitted to execute and get by the perimeter defense.

Nothing wrong with that at all, but not necessary if you feel secure with your Policies and Procedures that prevent the exploit from running in the first place.

Example: Adobe's Sandbox.

With the browser properly configured, the malicious payload will never make its way into the Sandbox because the code embedded in the web page will not be able to execute its commands to drop the payload executable.

Regards,

-rich

 

I think most everyone can agree that there are very real threats lying about. Whenever I see this sort of talk, it usually reminds me that I do need to have a set of protocols and tools in place, because threats do exist - but it also reminds me that I am very happy to be out of that "business model".

There have been various threads here over the years about whether an average user should have to make any decisions (become educated) or not. I don't think it is too outlandish to suggest that if there is no education, then they are merely a piece of the security business model. And like all businesses, you must have demand to sell your supply. Are reports and talk of 0-day threats fact or fiction?

Well, they are both. Some reports seem rather obvious (at least to me) due to the sensationalism they depict (the world is doomed, unless you use our product) and others seem to downplay it as an non-existent threat.

That is why I say users who really want "freedom" need to be educated. There are pitfalls out there, but you have to understand them to avoid them. And the pitfalls are not only viruses/malware/trojans, but also really crappy software that you have to buy, or freeware that just sucks. The amount of knowledge needed of course will vary greatly, but lack of any knowledge or sticking your head in the sand both seem illogical to me.

Sul.

 

Sandboxing is necessary to contain code that shouldn't have been allowed to execute in the first place. IMO sandboxing should be regarded as a 2nd line of defense. It should be used to contain legitimate attack surface applications in order to protect the rest of the system from code embedded in the files, media, etc that these apps open, a malicious PDF for instance. Other non-whitelisted executables, should never get that far. Running unknown executables in a sandbox keeps the user in a continual arms race with those who write that code. Eventually, someone breaks the containment, the sandbox gets patched, and the cycle repeats. It's the usual penetrate and patch routine, the same reactive policy that results in casualties and/or damage before the patch is released.

Very true. There's several ways to implement a default-deny policy, just as there's several ways to sandbox your attack surface, eg a sandbox app, virtual system, system policy, 3rd party HIPS rules, etc. What the user chooses is largely a matter of preference and trust. Myself, I don't trust Microsoft's built in tools to control the OS components, no matter how well it controls other software. That aside, for exploits that target the attack surface and malicious code contained in legitimate appearing files, how you sandbox them is not particularly important, as long as you do.

 

IDK why anyone is talking about sandboxing like it can't be policy.

Anyways,

Yes, 0day exploits are not a huge deal.

But let's not forget:
http://www.adobe.com/support/security/advisories/apsa11-01.html
or even:
http://www.zdnet.com/blog/security/adobe-flash-zero-day-exploit-in-the-wild/1189

0-day exploits happen... and they're taken advantage of. They're not always in the OS but they DO happen. Uncommon or not they are absolutely not something to be scoffed at, again because it's so difficult to protect yourself against them.

As for security companies and scare reports, idk about that. Considering that most security software absolutely fails to deal with 0days I don't think they'd focus much on that!

Now to focus on this:

I don't see your point.

Zero-day malware does not have to use exploits, it can be entirely socially engineered. It also can be a simple update to an older piece of malware to move around heuristics/ blacklists.

It's still 0day and most of the malware you run into probably hasn't existed for more than a few days. That's not always the case, but there are hundreds of new malicious files (updates or not they're 0day malicious files) and they DO get spread around a ton.

Again, Microsoft is talking about exploits... not files. 0day files are actually what I'd say they consider to be the huge threat here. Consider smartscreen, the idea is to stop new files from being downloaded without the users knowledge. It's aimed at NEW socially engineered malware.

And as was brought up by someone above this is a report my Microsoft. We've seen just as fancy reports by Google and we've seen reports by others contradicting them. There are so many arguments both ways I personally have no clue anymore.

On the one hand you've got Google, a company with more information on the web than nearly any other. Then we have Microsoft, a tech giant with more Windows-specific information than anyone else.

Personally, I only care about 0day exploits. It's the only thing that's really just "out of my hands."

 

Believe what you want, I'd rather be safe then sorry.

Couldn't agree more.

Well said.
Some form of sandbox/containment/default deny policy is IMO a very wise decision, and will always be a part of my setup.

 

Oh my gosh, you are quite poetic. .

Thanks.

 

I did say it.

I run a policy sandbox. The main difference is that it's enforced as much by HIPS as it is by the built in tools.

 

Ah, well there we go.

 

Not really but thanks.

 

And many of those are on sites which some of us don't come into contact with, unless you make a point of visiting malc0de, MDL or similar where they're listed there. And often not for long either.

 

Most of those sites you visit via malware domain respositories are often opened up in an iframe and then linked via javascript to a hacked and legitimate domain.

I believe that was the case with mysql.com

http://blog.sucuri.net/2011/09/mysql-com-hacked-javascript-malware.html

http://www.pc1news.com/news/0082/we...being-spread-through-legitimate-websites.html

ebsense Security Labsâ„¢ Report: Majority of Malware Being Spread Through Legitimate Websites