Recent incidents have highlighted that attackers are quickly turning public vulnerability information into exploits, leaving defenders with a shrinking window in which to patch software flaws.
On Oct. 29, the security team for the popular content management system, Drupal, warned users that a SQL injection vulnerability disclosed on Oct. 15 was exploited so quickly that sites that haven’t patched the flaw should assume that they are compromised.
In early October, security firms warned that multiple attackers had begun using a previously unknown vulnerability in Windows first exploited in the so-called “Sandworm” campaign. The Sandworm vulnerability is expected to make its way into exploit kits and become more widely used.
“Once the attack becomes well-known and publicized, then a lot of other groups start to look at it, and people who are selling exploit kits add it to their kits, and then everyone who buys the kits will be able to use it,” Kevin Haley, director of Symantec Security Response, told eWEEK.
While many vulnerability researchers have noted the seeming relationship between the disclosure and exploitation of vulnerabilities, the link has only occasionally been studied. In a paper published in 2012, Symantec researchers found that, soon after details of a zero-day vulnerability were disclosed to the public, the number of attacks using that security flaw skyrocketed—in some cases by a factor of 100,000. The researchers concluded that “the disclosure of zero-day vulnerabilities causes a significant risk for end-users.”
In a study of the vulnerabilities used in the Stuxnet cyber-attack on Iran’s nuclear capability, researchers from Lancope and Microsoft found a similar relationship. A zero-day vulnerability in the handling of icons, known also as LNK files, used by Stuxnet made its way into a number of other attacks, according to a 2013 paper published in the Virus Bulletin.
“Attackers are attracted to vulnerabilities that have successfully been used by other attackers,” Microsoft’s Holly Stewart and Lancope’s Tom Cross wrote in the paper. “The knowledge that a particular vulnerability exists and has been targeted ‘in the field’ can indicate to attackers that it is worth their time and effort to investigate that vulnerability and reproduce a functional exploit or integrate a public one into their toolkit.”
While remotely exploitable attacks, such as the recent flaw in Drupal and the ShellShock vulnerability in the Bash shell popular on Linux and Unix systems, are the most popular attacks, file-based exploitation of common applications—such as Microsoft’s Office, Oracle’s Java or Adobe’s Acrobat—also continues to be a major threat.
The problem is not easily solved. Some security professionals prioritize patches based on the probability of the underlying vulnerability’s exploitation. Other experts deploy software that can block malicious code, known as a virtual patch, to prevent exploitation until administrators have a chance to upgrade vulnerable software.
Yet, it will always be a race between attackers and defenders, Symantec’s Haley said.
“The exploit-kit guys compete on having the newest exploits first,” he said. “It’s a competition to get the latest techniques in their software.”