In January 2010, the western world got a rude awakening when Google publicly recognised it had been hacked and was being actively spied on for about six months by a Chinese group. As the story developed, it emerged that Adobe, Apple, Symantec, Yahoo, Morgan Stanley and many others had also been hit. Vast amounts of intellectual property had been siphoned off over a long period.
The initial shock gave way to a forensic investigation which soon found that a zero-day vulnerability in Internet Explorer had been used as the entry method. This was one of the early public examples of how an exploit could lead directly to cyber-espionage, and was unfortunately the first of many similar breaches.
The growing impact of exploits isn't just limited to the enterprise market. Exploit kits have become a highly effective way of automatically targeting banker Trojans and ransomware at everyday internet users with a greater degree of effectiveness. Point and click cyber-crime operations now hoover up the data of users who didn't update to the latest PDF reader or browser, adjusting their form dependent on what version a user is running.
Whether this is a highly sophisticated cyber-espionage or consumer data theft - the growing role of exploits is clear. Mass market applications such as Internet Explorer, Java, Flash Player, Silverlight, Adobe Reader, Microsoft Office Word and Excel make excellent targets.
This is not because they are less well-built than their competitors, but simply because they are used by so many people. In turn, this has fuelled an increasingly commercialized underground marketplace. Adverts for vulnerabilities on underground forums have become commonplace and a whole cottage industry have sprung up to create, market and drive traffic to exploit kits.
The effectiveness of the exploit is down to three main factors. Firstly, they abuse common applications built by big trusted brands. Consumer and business awareness that their dependable word processor, which they have been using for years, is actually being exploited by cyber-criminals is desperately low. The creators of these applications have spent billions of marketing dollars building good-will with their user-base, and malicious actors exploit this positive brand relationship.
This leads to bad human decisions, such as relaxed patching policies and a willingness to trust applications whereas otherwise they normally might not.
Secondly, although patches are issued relatively swiftly when a vulnerability is discovered, the window of exposure is still hard to close. From an enterprise perspective many companies, particularly small ones, are slower to move than those seeking to exploit them. In many instances large companies also rely on legacy applications and have limitations on deploying security patches to the endpoints. With any high profile vulnerability, malicious actors will be probing organizations during this sensitive time and will reap rewards. From a consumer point of view the discovery of a new vulnerability is a minefield. Significant education is needed to convince home users to update applications.
Finally, traditional counter-measures are largely ineffective against zero-day exploits. Traditional endpoint security is reactive in nature, which cannot address such a fast-moving problem and a determined attacker will win every time. Network security, such as Intrusion Detection and Prevention Systems (IDS and IPS), firewalls and email/web filters are also too responsive in nature.
Such systems also have inherent problems, such as known bypasses which use special encoding mechanisms during communication, and do not protect clients outside of the corporate perimeter. Many modern approaches to perimeter protection which defend specifically against vulnerability attacks are also still in their infancy, and either only monitor a fraction of the corporate communication traffic (providing a less-than-ideal detection rate) or have high false positive rates. Finally, whilst the Windows OS has gone a long way to protect against vulnerabilities, including DEP and ASLR, user-installed third-party software and non ASLR compliant libraries are an easy target for exploit shellcode.
Amidst all the hand-wringing which has taken place recently about the failure of anti-virus (AV), the industry needs to stand up and be counted. We must innovate and deliver effective products which face up to the exploit threat in an effective manner, because every day is now a zero day.
Pedro Bustamante is director of special projects at Malwarebytes.