Zero-day vulnerabilities share little in common except for the threat they pose
- By William Jackson
- Dec 17, 2009
Zero-day vulnerabilities take many forms. The one thing they have in common is that the hackers know about them before vendors and users. That's what the term means: They are available for exploit on “day zero” of their public exposure because only the black hats are aware of them.
Vendors and security professionals must start from behind with a zero-day vulnerability in developing patches, fixes and workarounds to close the window of opportunity to attackers for exploiting these security weaknesses. Although vendors typically scramble to get a patch in place as quickly as possible, some zero-day vulnerabilities hang around for quite a while before they are fixed. According to the research team at eEye Inc., some of the longer-lived zero-day vulnerabilities are:
Microsoft Excel Invalid Object, high severity, disclosed Feb. 24, 2009: A remote code execution vulnerability that might allow a remote attacker to execute arbitrary code under the context of the logged in user. A user would have to open a file manually.
Adobe Acrobat PDF Buffer Overflow, high severity, disclosed Feb. 19, 2009: Allows an attacker to execute arbitrary code on a victim’s machine if a malicious PDF document is viewed. Exploitation has been seen in the wild.
Creative Labs AutoUpdate Engine ActiveX stack buffer overflow, high severity, disclosed May 26, 2008: The AutoUpdate Engine ActiveX control provides automatic update capabilities for Creative Labs software. It is marked “Safe For Scripting” and “Safe For Initialization,” which means that a Web page in Internet Explorer can interact with the control. Exploit code for this vulnerability is publicly available.
Microsoft Windows XP Internet Connection Sharing denial of service, medium severity, disclosed Oct. 28, 2006: This vulnerability allows a LAN-side attacker to send a specially crafted DNS request to a vulnerable host to cause a denial of service for the ICS service, which also includes the Windows firewall and could allow further exploits when the firewall is taken offline.
Microsoft Windows Remote Procedure Call Memory Exhaustion, low severity, disclosed Nov. 16, 2005: Three referenced exploits take advantage of a bug in RPC lets an attacker supply the size of an output buffer. RPC allocates the buffer and (more importantly) initializes it to zeroes, committing the entire memory range. The target service is given all the virtual memory it wants, due to its privileges, and will cause virtual memory exhaustion.
William Jackson is a Maryland-based freelance writer.