Targeted Office Attacks
Unlike the most dangerous of the IE-targeted zero-day threats, those directed against Word and other Office apps can't employ drive-by downloads. Instead, they typically rely on getting a victim to double-click an e-mail attachment--and when they are paired with orchestrated attacks against particular companies, even wary users can accidentally click.
By sending the employees of a targeted firm a faked (or "spoofed") e-mail message that appears to come from a coworker or other source within the company, a malicious hacker has a much better chance of persuading recipients to open an attached Word document than if the message appeared to come from a random sender.
In mid-December, Microsoft confirmed that Word contained two such vulnerabilities that crackers exploited to launch "very limited and targeted attacks," following manipulation of a string of similar flaws in Excel and PowerPoint. The company now warns users to be wary not only of e-mail attachments in messages from unknown senders, but also of unsolicited attachments from known senders.
Microsoft products may be the most popular zero-day targets, but other common software has provided equally dangerous avenues of attack. In January a researcher announced discovery of a flaw in QuickTime's handling of streaming video that would have allowed an attacker to effectively commandeer a victim's computer. In late November 2006 a zero-day vulnerability in the Adobe ActiveX browser control introduced a similar risk.
The rise in zero-day incidents mirrors a major increase in the annual number of reported software vulnerabilities. In 2006 software makers and researchers catalogued some 7247 vulnerabilities; that's 39 percent more than in 2005, according to Internet Security Systems Xforce.
Most of these bugs don't lead to a zero-day exploit, however. Software companies often receive reports of bugs and crashes from their users, leading to discovery of security holes, which the companies then patch before any attacker can exploit them. When outside security researchers discover a flaw, they (for the most part, anyway) adhere to a set of practices, known as "ethical disclosure," specifically designed to avoid zero-day attacks.
Under ethical disclosure, researchers first contact the software vendor confidentially to report their findings. The company doesn't announce the problem until it has a patch ready, at which time it publicly credits the original researchers with having uncovered the flaw.
But sometimes researchers, frustrated by the slow pace of a software maker's investigation, go public with details about the vulnerability while it is still unresolved. Some experts consider this tactic a necessary evil to force recalcitrant companies to issue a fix; others decry it as an unethical breach of industry practices.
People who advocate going public argue that if a researcher knows about the flaw, criminals might, too--and smart criminals will keep their attacks small and targeted so as to avoid the maker's attention, and a fix. Unfortunately, all too often, public disclosures of a vulnerability prompt public zero-day attacks.
Another controversial practice is bounty hunting. Some organizations, including iDefense and 3Com's Zero Day Initiative, pay researchers to report zero-day exploits to them. iDefense, for example, offers an $8000 bounty for information about vulnerabilities in IE 7 and Vista. The security companies then communicate their discoveries confidentially to the software companies. While not universally admired, these programs do put cash in researchers' pockets--an outcome that many prefer to a simple public pat on the back from software vendors.
Perhaps more important, security company bounties compete with the growing black market for zero-day exploits. The Vista vulnerability seller that Trend Micro's Genes observed in a chat room may or may not have found a buyer at the $50,000 asking price, but reports from eWeek.com and security companies say that the Windows Metafile attacks began immediately after a sale of relevant bug details for the tidy sum of $4000.
To find marketable flaws, researchers and criminals use automated tools called fuzzers to locate places where a program accepts input, and then systematically feed them bizarre combinations of data. Frequently this testing turns up an exploitable flaw called a buffer overflow.
Software companies, including Microsoft, commonly use the tools to find flaws in their own products proactively. But so do the crooks: BlackHat organizer Moss and many other experts say that Eastern European organized criminals, disciplined groups of Chinese hackers, and other miscreants use fuzzers to find valuable zero-day exploits. The discoverers can use the exploit to attack on their own or, as in the case of the WMF exploit, can sell it on the black market.
When a software maker can patch a security flaw before any attacks occur, both company IT staff and home users have time to update their software and stay ahead of the curve. But as soon as a zero-day attack commences, the clock is ticking--and sometimes it ticks for a while before the needed patch arrives.
During the first half of 2006, according to Symantec's September 2006 Internet Threat Security Report, Microsoft tied Red Hat Linux for the fastest patch development time for commercial operating systems: an average time of 13 days.