During the past two weeks, several zero-day vulnerabilities have turned up in commonly used software. The most publicized of these was the zero-day affecting all versions of Microsoft Internet Explorer. Microsoft considered the vulnerability critical enough that it decided to release a patch for Windows XP, even though it ended support for that operating system at the beginning of April.
Typically, criminals discover zero-day vulnerabilities before they are known by vendors like Microsoft. This makes them especially dangerous for several reasons. Since there is no vendor patch available for the flaw, criminals are free to exploit it at will. Also, since security vendors don't know about the bug, security products and services don't know what to look for or block. This means criminals can develop an exploit with a high success rate and low detection rate.
Finding a zero-day and then developing an exploit for it requires a great deal of knowledge and skill. This is why many zero-days are found in conjunction with sophisticated, targeted attacks. For example, the Internet Explorer zero-day was a part a larger malware distribution campaign.
Part of the reason we are seeing more zero-day vulnerabilities discovered these days is because of the growth of third-party security vendors. To keep up with ever-evolving arms race between attackers and potential victims, more organizations are asking for help, whether that's monitoring security logs, making sure their security technologies and policies are updated based on the latest threats or providing incident response after a breach has occurred. Having more expert eyes in the field is definitely one reason more zero-days are being detected.
Another silver lining in this zero-day outbreak is that it should encourage organizations to revisit their overall security practices. Businesses should consider how a multi-layer security strategy that includes up-to-date anti-malware technologies and network monitoring can help lower the threat risk. It's also critical to deploy a security awareness education program so that users can spot signs of phishing emails and potentially malicious websites. Finally, organizations should be prepared and have in place an incident response plan that has been recently updated and tested. If you cannot prevent exploitation, it's very important to be able to respond and recover from it in a timely manner.
Karl Sigler is threat intelligence manager at Trustwave.