Zero-day exploits, having never been seen in the wild before, have the ability to evade early detection, sailing through traditional and next-generation firewalls, intrusion prevention systems, anti-virus and web gateways. As a result, the potential for loss and theft of customer information, intellectual property and confidential information increases dramatically.
"The newest generation of cybercriminals are persistent, exploiting zero-day vulnerabilities that often leave security experts unaware of the holes in their networks until the damage has already been done," said Ashar Aziz, FireEye founder and CTO, in a statement.
The seven zero-day flaws discovered by FireEye this year are a varied bunch:
- CVE-2012-4792, Internet Explorer: Allowed remote attackers to execute arbitrary code via a crafted website that triggers access to an object that was not properly allocated or was deleted.
- CVE-2013-0422, Java: Retrieved a template from the web and created a full screen window demanding payment using some kind of social engineering scheme to scare the victim.
- CVE-2013-0634, Flash: Allowed remote attackers to execute arbitrary code or caused a denial of service (memory corruption) via crafted SWF content.
- CVE-2013-0640, CVE-2013-0641, PDF: Designed to trick Windows users into clicking on a malicious PDF file delivered in an email message.
- CVE-2013-1493, Java: Allowed successful unauthenticated network attacks via multiple protocols, which resulted in unauthorized operating system takeover including arbitrary code execution.
- CVE-2013-1347, Internet Explorer: Allowed remote attackers to execute arbitrary code via a crafted website that triggered access to an object that was not properly allocated or was deleted.
Of course, FireEye’s total doesn’t cover the complete zero-day landscape. Symantec in April totted up all of the zero-day exploits known in the first quarter alone and found there to be 11 (the company’s second-quarter report has not yet been released).
The total of 11 is “quite high,” Symantec noted, adding that it, like FireEye, is concerned that they seem to affect widely deployed software like Oracle Java, Adobe Flash, Adobe Reader, and Microsoft Internet Explorer - going after popular applications allows for maximum damage.
“Most of these flaws can be exploited over the internet by enticing users to visit a site hosting the exploit”, Symantec said. “We also observed the attackers have started digging deeper to find vulnerabilities in the sandbox protection features of applications in order to bypass the restrictions for complete exploitation.”
A number of the flaws are used in different exploit kits and sold on the underground market.
To fill in the gap in network defenses, ideally companies should be able to monitor both inbound and outbound attacks, identifying the hallmarks of today's most advanced cyber-attacks and blocking those activities. But users should also be using basic best practices:
- Ensure all applications are up to date with the latest security patches. Even though a zero-day exploit cannot be patched, the latest updates will provide protection from previously disclosed vulnerabilities
- Ensure anti-virus and IPS definitions are up-to-date
- Avoid visiting sites of questionable integrity
- Avoid opening files provided by untrusted sources
- Implement multiple redundant layers of security such as non-executable and randomly mapped memory segments that may hinder an attacker's ability to exploit vulnerabilities