Given the recent rumors about 0day in IIS and confirmed 0day in several different Microsoft Office applications, these comments seem appropriate.
The first question I pose is: why the sudden increase in vulnerabilities that are published as 0day instead of responsibly disclosed? This isn't intended to be a comment on full-disclosure. But if you look over the past couple of years, almost all vulnerabilities that are discovered by actual researchers (not criminals) were disclosed responsibly to Microsoft. Is the researching community becoming disenchanted with the long Microsoft patch cycle? Is there more incentive (fame) for researchers to disclose full details to bugtraq or full-disclosure? Is there more incentive (financial) to sell an exploit to iDefense, 3com, or the highest bidder on eBay? If you are a software vendor, what are you doing to ensure that vulnerability researchers are kept happy and disclosing security bugs responsibly?
Now here is where I can feel people firing up their flamethrowers. There has been lots of panic and rumors recently about 0day bugs. And it isn't just focused on Microsoft products. We occassionally get e-mail asking if we know about 0day in OpenSSH, Apache, and PHP. The question shouldn't be whether 0day exists. Because 0day exists and it will always exist.
The question is whether you or your organization would be the target of such an exploit? The time is long gone for an exploit author to embed his nice 0day into a worm and let it run rampant through the Internet. Today, 0day exploits are more likely to be used for military purposes, financial crime, and possibly terrorist activities (although, probably not).
So in reality, the organizations that really need to be concerned about 0day are the ones responsible for protecting military/government assets, financial institutions, and critical infrastructure agencies. Since you know 0day exists and if you are a target, what are you doing to protect yourself? How do you protect against, detect, and respond to unknown vulnerabilities?
For the rest of the folks out there (small/medium businesses, hobbyists)... Should you worry about 0day? Usually not, but if you have all the other critical security components in place then go ahead.
I'm curious to know what kinds of 0day protection systems people have in place? In the *NIX world, there are some fairly decent (and free) options for protection: Grsecurity, NSA SE Linux, Systrace, LIDS, ProPolice GCC patch and others. How about the Windows side? There doesn't seem to be much for the folks without hardcore $$. CORE security has something new called Force (http://force.coresecurity.com/) that looks quite promising. There is also a good list of commercial products for Windows and some comments compiled by fellow handler Jason Lam here: http://isc.sans.org/diary.php?storyid=635
In summary, you should expect 0day to be alive and well for your favorite operating systems, daemons, and applications. And if it concerns you, then do something about it instead of waiting to get smacked with it later. You will sleep better at night and not be frustrated at your favorite software vendor when they take 6+ months to patch simple little vulnerabilities.
Jun 20th 2006
1 decade ago