Parts 3 and 3.5 of this series covered when and how Zero Day Threats are released, this last part briefly covers key events over the past year and touches on what we can expect over the next year.

There have been a few significant developments in the zero day threat space over the past 12 months.  A year ago to the day, the first Month of Bug project was launched, during which browser related vulnerabilities were disclosed, one for each day of July.  Most of these threats had not been disclosed previously.  Many security researchers followed the project closely, numerous press articles were published, and just in general a lot of attention was given to the project, those behind it, and the vulnerabilities that were disclosed.  Since then there have been 8 other Month of Bug Projects.  Many of the vulnerabilities irresponsibly disclosed are considered to be zero day threats. 

Month of Bug Projects
Title Month Held
Month of Browser Bugs Jul-06
Month of Kernel Bugs Nov-06
Month of Apple Bugs Jan-07
Month of PHP Bugs Mar-07
Month of MySpace Bugs Apr-07
Month of ActiveX Bugs May-07
Month of Search Engine Bugs Jun-07

While these projects are growing tiresome and the media attention has largely subsided, this existence of these projects highlight the motivations of those behind them, primarily fame, peer praise, vendor bashing, and raising awareness of the issues.  Some vendors have been more responsive than others as you’d expect.

Another fairly recent event is the release of a new Metasploit Framework.  A description from the Metasploit site:

The Metasploit Framework (”Metasploit”) is a development platform for creating security tools and exploits. Version 3.0 contains 177 exploits, 104 payloads, 17 encoders, and 3 nop modules. Additionally 30 auxiliary modules are included that perform a wide range of tasks including host discovery protocol fuzzing and denial of service testing.

This release speaks to the maturity of vulnerability assessment tools as well as exploit automation.  Speaking of vulnerability assessment tools, the AxMan fuzzer was used to discover nearly 20 different ActiveX flaws during the first of the Month of Bug projects.  Fuzzers are programs designed to test the inputs, or parameters, of an application. While fuzz testing dates back to 1989, recently fuzzers have been used to discover numerous critical security vulnerabilities.  Here’s a list of fuzzers released around the time of the first Month of Bug Project.

Fuzzers
Name Quarter Released
AxMan Q3-06
CSS-Die Q2-06
DOM-Hanoi Q2-06
Hamachi Q2-06
Orphan Objects Q3-06

Some fuzzers used during other Month of Bug projects were also later released.

A third significant and recent event was the in-the-wild discovery of a targeted zero day attack on the infrastructure.  I’m talking about the RPC DNS Server Service Vulnerability (CVE-2007-1748). The evolution from discovery to mass-attack was not unfamiliar, but this could be a sign of times to come, where targeted attacks branch out from the more typical application vector (namely MS Office) and focus more on the infrastructure. 

So what lies ahead?

  • The Month of Bug projects should start to slow down before too long; as the newness wears off and researchers look to other means of raising awareness
  • The development of exploit tools will continue to mature with continued and increasing collaboration as well as availability
  • The market for quality exploits will continue to expand
  • Web applications will continue to be a major target for attackers
  • The infrastructure will be a growing target moving forward

I hope you’ve enjoyed this blog series.  This data and commentary represents a fraction of the content that my colleges and I have been preparing for threat forecast reports covering a wide range of threat topics; content that is being used by customers and McAfee alike, to plan for the future, invest more wisely, and mitigate risk.  These forecasts are being produced and updated on a regular basis.  Look for excerpts in future blog postings and series.