If you don’t keep your computer protected, it’s very easy to get it infected – as many of you can probably relate to. There are multiple ways to keep your computer clean and your data safe. You can use your common sense to avoid catching a digital cold, and install a good anti-virus application.
Another part of securing your computer and your online presence is to stay informed. Stay informed of important security trends and security holes.
One term that often comes up in relation to viruses and security are zero-day exploits, vulnerabilities and attacks. Not too long ago a seven year old Internet Explorer vulnerability was found. Sounds like a long time? It is. To help you get traction on the subject, we’ll explain to you the concept of software vulnerability, zero-day exploits and the window of opportunity.
The average software application consists of an incredible amount of code. As is to be expected, a lot of code is not bullet proof at its conception. For one, bugs slip in. A lot of these bugs are relatively harmless (relative being the key word) – they create a deadlock and cause the application to freeze, or make the application misbehave under certain irregular conditions.
A more serious security risk arises from the presence of exploitable bugs, or software vulnerabilities. Software vulnerabilities compromise the security of the computer system. Sneaking in through the cracks provided by flawed or insufficiently protected code, malign individuals are sometimes able to execute their own code under the guise of a computer’s own user, or access restricted data (just to name a few of the possibilities).
Simply put, a software vulnerability is a flaw in the software’s design or implementation that can potentially be exploited.
A software vulnerability on its own does no harm (yet). First, the attacker has to find the vulnerability and write an exploit; a piece of software that uses the vulnerability to carry out an attack. This (zero-day) attack can take the form of a virus, worm or trojan infecting your computer system.
Often, these software vulnerabilities are first discovered (or brought to the attention of) the software developers, and are fixed in future updates to the application. But if the attacker is able to discover the vulnerability before the developer knows of it, the attacker can write a zero-day exploit. This term derives its name from the fact that the first attacks take place before anyone (most importantly, the developer) has knowledge of the vulnerability.
A zero-day exploit gives the attacker an unprecedented advantage. Because the developer had no knowledge of the exploit, they’re not able to develop a fix and users of the application are entirely without protection. Until the attack is noticed and recorded, even conventional virus scanners are of little use. The vulnerability window describes the time between a vulnerability is first exploited and the developer of the application pushes a patch. This follows a distinct timeline.
- The (unknown) vulnerability is introduced in a piece of software.
- The attacker finds the vulnerability.
- The attacker writes and deploys a zero-day exploit.
- The vulnerability is discovered by the software company and it starts developing a fix.
- The vulnerability is disclosed publicly.
- Anti-virus signatures are released for the zero-day exploits.
- The developers release a patch.
- The developers finish deploying the patch.
The zero-day exploit attacks last from point 3 to point 5. According to a recent study, this period lasts ten months on average! However, not that many hosts are usually affected. The biggest strength of zero-day attacks is their relative invisibility, and zero-day attacks are most often used to strike at very specific targets.
A much more dangerous period for the average user lasts from point 5 to point 8, which is the follow-up attack wave. And only on point 6 will those anti-virus applications start taking effect. According to the same study, other attackers swarm to the vulnerability after its public disclosure, and the volume of attacks increases by up to five orders in magnitude!
After reading the article, how does the seven year old Internet Explorer vulnerability sound? Due to a lack of data, we can’t say for sure how big the vulnerability window exactly was, but it likely wasn’t small. Let us know your thoughts in the comments section below the article!
Image credit: Victor Habbick / FreeDigitalPhotos.net
More articles about: