'Zero-day' threat looming

Computer users could soon be facing a ‘zero-day’ scenario: one where attackers can discover and exploit a vulnerability before security companies have had time to prepare a defence.

  • E-Mail
By  Peter Branton Published  March 21, 2004

Computer users could soon be facing a ‘zero-day’ scenario: one where attackers can discover and exploit a vulnerability before security companies have had time to prepare a defence. That’s the grim warning from security firm Symantec which this month released its latest Internet Security Threat Report. When a vulnerability is discovered, security vendors agree not to release information about it for a period of time, usually at least 30 days, so that people have a chance to work on a counter-measure. While companies can take months to work on a solution, the time between vulnerabilities being discovered and the release of an associated threat is shrinking rapidly, the company warns. “The period of time between the announcement of a vulnerability and the release of an associated threat is shrinking,” the report states. “These trends suggest that ‘zero-day’ threats may be imminent.” Last year’s Blaster worm for instance successfully targeted a vulnerability in the Windows operating system which had been announced less than a month before, Symantec pointed out. Last August saw three major security threats rampage across the internet in only 12 days: Blaster, Welchia, and Sobif-F, which between them infected millions of systems worldwide. Speaking to Windows Middle East last year, Kevin Isaac, regional director for Symantec Middle East and Africa, admitted that the possibility of a ‘zero-day’ threat was “the thing that keeps me awake at night.” “It used to be that you had a few days to work on solutions, now it’s a matter of weeks, maybe soon it will be days,” he said then. “A zero-day attack would be catastrophic because nobody would be protected. If you were to put a payload on that then you could cause all sorts of damage.” While attackers are getting quicker at exploiting vulnerabilities, firms still often struggle to find solutions in time. Microsoft for instance recently took more than six months to release a patch for a major vulnerability in Windows which could allow an attacker to seize control of a user’s machine and do pretty much what he liked with it. The good news for all of us is that the number of vulnerabilities out there seems to be leveling off, with only a slight increase from 2002’s 2,587 documented vulnerabilities to last year’s 2,636. The bad news, Symantec claims, is that the ones being discovered are more severe, based on impact, remote exploitability, authentication and availability. Security firm eEye Digital Security described the Windows vulnerability referred to above as “more dangerous than previous flaws that spawned Nimda, Code Red and Sapphire worms,” when it reported it.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code