Thursday, September 27, 2012

0-Day - Always, “Just around the corner”

Sounds like something from a Bruce Willis blockbuster, or is Morgan Freeman about to shout down his colleagues? Unfortunately it’s real enough and it is part of everyone’s daily life. Devices like mobile phones, computers, servers and fridge magnets - ah, ok, not yet perhaps, but seriously - nearly everything connected to the WWW. No nuclear submarines or the TARDIS, it’s happening in your pocket through the air you breath.

So what is Zero-day? It is when a flaw in software is discovered by someone, somewhere, before the developers of the software. The zeroeth day of awareness of a vulnerability. There are many grey areas to consider. Let me provide a recent example:- Java is used by billions of devices. It is a cross-platform runtime environment. One development language that works on many different kinds of hardware and operating systems. Java is owned, maintained and supported by the giant, Oracle.

On the 26th of August, a US based security company reported that an unpatched Java vulnerability was being exploited, using the latest version of Java. This was confirmed by other security analysis organisations, including and reported globally by the Register. Metasploit, an IT security project, also confirmed. A bug was logged in the National Vulnerability Database as CVE-2012-4681. CVE-2012-4681 allowed an attacker to use a dedicated webpage for users to download and run a payload which could contain a keylogger or network scanner, for example. Oracle finally responded, four days later, on the 30th August. Two other vulnerabilities were discovered; these forced Oracle to make patches available outside of their usual release schedule.

How are users and SysAdmins supposed to respond? Shout, “Disable Java” is a reasonable response. But then that is a big call. Most people took the risk and left Java enabled. Most out of ignorance of the issue. Ignorance is bliss! What is the incentive behind reporting the issue on the public WWW? - leaving the found hole, wide-open. Usually publishing the technical details ready for criminals to exploit. Instead of quietly knocking on Oracle’s door with the problem - then walking away. 

Why is there no agreed standard protocol in place so that discovered vulnerabilities like this are reported in silence? I once dreamed up an acronym; VDAP, Voluntary (or Vulnerability) Discovery Announce Protocol - after a rather nasty experience with a flaw discovered in the Linux kernel during 2009. VDAP may be a secure system that could be deployed and used by all major software developers to communicate, with encryption, vulnerabilities and their details. This relies on the principle of security through obscurity, Microsoft have perfected this principle anyway. It also relies on deep discretion. The kernel flaw was discovered by a Google software scientist, then posted on his personal blog.

The incentive to report newly found vulnerabilities and cause 0-day is many things; including glory, kudos, and sales. Sales of unofficial patches, services or scanning software - amongst others. One the other hand, the pressure on large vendors to provide a patch is automatically increased. Open source vendors and communities are often faster to respond with a patch. An agreed protocol might not work because people will choose, not to use it. The best solution, may not become clear for many years and this chicken and egg scenario will continue. As a Linux SysAdmin and Engineer, I have tools at hand; kernel level security, host based, firewall rules, MAC (mandatory access control) and application level security. Of these, the Firewall with proxy filtering, is the most powerful; the best security is a well balanced combination.

No comments:

Post a Comment