The Thing with Zero Days…

May 8, 2009

People frequently ask us at security conferences, or during product demos: “What does CORE IMPACT do to help customers address zero-days?”

Zero days are an interesting topic to consider, one where I believe there is still some misunderstanding of the actual phenomenon, though it’s clearly an area of IT risk that a lot of people are talking about.

I assume that people are concerned with this issue because they’ve been hearing about malware campaigns that target vulnerabilities that no one has reported publicly before the attacks are discovered. That’s the true definition of a “zero-day” flaw – one that was unheard of, and therefore un-patched, before it was found in the wild.

zdt_bookjacket_hirezHowever, some people confuse known vulnerabilities that haven’t been patched, or those that haven’t previously been used in attacks, as falling under the zero-day umbrella. That’s not the case, as anything that’s been reported, whether it’s been fixed or remains unfixed, has already been elevated beyond true zero-day status.

So, to the question, “does CORE IMPACT test for zero days?” The answer is no, but only because we embrace public disclosure, not because we aren’t working to keep our users ahead of new threats. With known issues that remain un-patched, or those that are simply new to the malware community, we’ll always try to have working exploits.

With true zero-day vulnerabilities uncovered by CoreLabs, our first action will always be to contact the involved vendor to tell them everything we know about the problem – and to help in the timely development of a solution for vulnerable users.

The existence of the problem, along with all the details necessary to understand its risk and to obtain and deploy a solution must be disclosed to all affected users, as well as other stakeholders.

And at that point, it’s no longer a zero day.

In the real world vulnerabilities are exploited whether they are publicly disclosed or not, and attackers pick those they use based on their potential value and "return on investment."

One of the biggest advantages of embracing public disclosure is that by informing everyone about known issues, this effectively turns a zero day into a known commodity and increases its "decay rate,” thereby decreasing its malicious value.

This highlights one of the main reasons that Core is in business today – because we can level the playing field for organizations when it comes to issues like zero day vulnerabilities by arming them with the same information that people are using to create electronic attacks.

Vendors and customers need to be informed of new security vulnerabilities ASAP to educate the vulnerable population about problems and provide them with sufficient information to make informed decisions about managing risk.

In cases when a vendor delays publication of an advisory or patch beyond reasonable expectations, or enough information becomes public for in-the-wild exploitation – including the release of any so-called “silent patches” – we are forced to release our security advisories and exploit code to customers so that they can test workarounds and defenses against any emerging threats.

As vendors prepare their solutions, our developers are already building and testing exploits addressing the involved vulnerabilities so our customers can ensure that they’re protected as soon as problems go public.

So, does Core release zero days? The simple answer is that we do not. The moment our researchers discover a new vulnerability we report it to the vendor and begin leading the process to help everyone become informed of and protected from the issue.

While not everyone in the community shares this approach, to us, it’s just the best way to do business.

-Alex Horan, Senior Product Manager

  • Technical Best Practices

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!