Interestingly enough, these last five days have given the Application Security arena a run for its money, with the attention around the zero-day flaw in Java 7. It seemed to be a vulnerability that allowed a remote, unauthenticated attacker to execute arbitrary code in a vulnerable system, which could be attributed to the fact that the default Java security level setting was set to ‘Medium,’ enabling the attacker to run code without prompting the user before any unsigned Java applet or Java Web Start application was run. (You can read more about the alert here.) The vulnerability ended up being so serious that on Friday the Department of Homeland Security warned users to disable Java software completely, while Apple actually disabled it remotely on its machines that had the program installed.
A zero-day vulnerability is one that is not known to the vendor or public, but rather by those who discovered it, i.e. the hackers. The name comes from the notion that there have been zero days to address it. Furthermore, a zero-day exploit takes advantage of the fact that the vulnerability is non-public/unknown to get targeted information or research and orchestrate a more sophisticated attack. An attack with a true zero-day vulnerability is extremely difficult – many times, impossible – to stop, since there’s no known signature that enables tools to detect it.
As you read on, think of the number of systems that could potentially be exploited due to zero-day flaws “in the wild.” Indeed, there is a black market for zero-day vulnerabilities… scary, isn’t it? Fortunately, there are programs out there that reward researchers that ethically report zero-day flaws disclosed to the public after a patch has been released. But let’s take this experience as an example to strengthen the importance of Application Security as part of your overall Information Security strategy. While zero-day flaws impact commercial software that often is being used by your organization and is largely not in your control, it is also true that security vulnerabilities may be present in your core Web applications. What’s worse is that they could be exploited, leading to data breaches or unauthorized access to your networks and resources. Thankfully, today there are many application security offerings out there and a plethora of tools and recommendations, so neglecting to take proper precautions in application security testing will be tough to justify.
Moral of the ‘story’: Don’t be caught off guard; continuous evaluation of the performance and effectiveness of your Antivirus/IDS/IPS pays dividends. While Antivirus and Firewall do largely dominate the security technology scene, as reported in Sep 2012 by Gartner’s Eric Alhlm and Lawrence Pingree in their research, Report highlight for Survey Analysis: Profiles of the Leading and Lagging IT Security Programs in North America, your information security strategy must also include a strong vulnerability management process that allows you to constantly scan for known vulnerabilities at the network layer. It is vital to revisit your application security policy, ensure that all vulnerabilities identified as “critical” and “high” in your core applications get fixed, and that it is done in a timely manner.