Zero Days and Patch Lag: Stemming the Software Pandemic

Working from home. Rewind to 2019 and you would usually find this phrase listed as a work perk on recruitment documents, yet today it is a frequent feature of daily conversations and news headlines.

It can be strange to reminisce about pre-pandemic times. COVID-19 hasn’t simply been a question of health and safety. It has transformed many facets of our lives from social interactions and pastimes to daily routines and working life.

It is the latter that I would like to focus on. The virus forced millions of businesses globally into remote operational models almost overnight, expanding the digital landscape drastically and providing cyber-attackers with immense opportunities to execute malicious activities on a heightened scale.

Cybercrime surged in 2020. Ransomware attacks, phishing campaigns and novel attempts were widespread.

With users spending the vast majority of their working day in a web browser accessing various SaaS applications and corporate resources based in the cloud, it was only natural that web browsers were feverishly targeted. In particular, we’ve seen a significant spike in the use of Zero Day exploits targeting the web browser in order to compromise endpoint systems.

Zero Day Attacks – What Are They?

Zero Days are opportunistic attacks. They occur during a period when a weakness is discovered in a piece of software, and that vulnerability is subsequently exploited before the creator provides and implements a fix.

Even the largest, most robust organizations are subject to these threats – in recent times, we’ve identified an increasing trend of attackers focusing on developing Zero Day exploits for Chrome.

This may come as a surprise, but it shouldn’t. Chrome has the largest market share of any web browser, so it is only natural that attackers would target it. Further, as of January 2020, Microsoft Edge became based on Chromium, so developing an exploit from Chrome can now simultaneously target both browser architectures.

Indeed, Chrome is entirely aware of Zero Day exploits and its creator, Google, does everything it can to protect its users. But patch lag, combined with the time taken by enterprises to patch their browsers – combine to form a significant challenge.

The lag is the time between the attacker finding the bug, it becoming public knowledge and then the vendor fixing that bug. The issue is that this can take time and during this period attackers can successfully exploit the software bug.

Analysis of the Chrome browser update cycles of our global customer database at Menlo Security demonstrates the challenge.

While Chrome 87 was released on November 17, 2020, adoption was only 84% by December. This same trend occurs for Chrome 88: it was released on January 19, 2021, and only saw 68% adoption by February.

Isolation Prevents Infection

Google has responded with more frequent Chrome updates, possibly as a result of the SolarWinds breach when the company unknowingly sent out Orion software updates with hacked code to customers that went undetected for months.

End-users are also responding well. Within our global customer base, we saw those companies spanning the oil and gas, finance, banking, government and construction industries were all early adopters of browser updates, particularly in North America and Singapore.

Indeed, a chain of more frequent updates and earlier adoption reduces the opportunities for Zero Day Attacks, yet, unfortunately, it does not solve the problem entirely. While patch lags windows may be reduced, they still exist.

So, what’s the solution?

Isolation technology for one provides immense value. It moves the execution point for active content away from the user’s browser to one in a disposable virtual container in the isolation platform. Essentially, it creates an air gap and prevents all active content, including exploit code, from reaching the would-be target, thus preventing Zero Day Attacks on a user’s machine.

The principles of social distancing and quarantine that we have become all too familiar with apply to cyber-attacks as well – if you don’t come into contact with a virus, then you cannot be infected.

What’s Hot on Infosecurity Magazine?