(But in some cases may remain unknown for up to 2.5 years). A couple of days ago, two Symantec Researchers have published an interesting article (“Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World”) reporting the study of 0-Day Attacks between 2008 and 2001. They have analyzed 300 million files collected by 11 million hosts (a representative subset of the hosts running Symantec products) between March 2008 and February 2011.
These files were extracted from the the WINE environment (Worldwide Intelligence Network Environment, a platform for repeatable data intensive experiments aimed to share comprehensive field data among the research community) and correlated with three additional sources: the Open Source Vulnerability Database (OSVDB), Symantec’s Threat Explorer (the company database for the known malware samples) and an additional Symantec data set with dynamic analysis results for malware samples.
The purpose of the research was to execute a sort of automatic forensic analysis aimed to go back in time to look for 0-day attacks carried on during the analyzed period. The results are disarming.
The researchers were able to find 18 vulnerabilities exploited before disclosure, among which 11 were not previously known to have been deployed in 0-day attacks. Based on the data, a typical zero-day attack lasts on average 312 days, but in some cases may remain unknown for up to 2.5 years (think to what it means to have the enemy inside the gates for such a long time).
Just to confirm that 0-days are the cradle of targeted attacks, the data show that most zero-day attacks affect few hosts, with the exception of a few high-profile attacks (Do you remember Stuxnet?). Moreover, after vulnerabilities are disclosed, the volume of attacks exploiting them increases by up to 5 orders of magnitude (the number of variants increases “only” by up to 2 orders).
And this is not a mere coincidence since apparently the cyber criminals watch closely the vulnerability landscape, as exploits for 42% of all vulnerabilities employed are detected in field data within 30 days after the disclosure date.
A terribly worrying landscape, even considering a theoretical point of weakness of the research, that is the fact that the sample could be considered self-consistent referring only to malware strains collected by Symantec customers.
Did you update your Java Plug-in with the Update 7 after the critical vulnerability discovered last week? You’d better wait!
Adam Gowdiak, CEO of Security Exploration, the Polish startup that discovered the Java SE 7 vulnerabilities (immediately exploited by cyber criminals), has discovered a new flaw that affects the patched version of Java released this Thursday. A patch released outside the consolidated Oracle update cycle which foresees three updates per year: an uncommon event for the company which demonstrates the seriousness of the security hole.
Unluckily, history is repeating, Adam Gowdiak has told The Register, that just-released Java SE 7 Update 7, contains a flaw that could allow an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems.
Even more unluckily, history is totally repeating: as happened for the previous vulnerability, the bug was reported to Oracle in April 2012 (and unfortunately is not yet patched).
At this point there is no other choice than disabling Java from your favourite browser.
If you want to know if your browser is vulnerable, you can click the following link: http://www.isjavaexploitable.com/.
Disable Java or Die!