SANS: Zero-Day Exploits on The Decline Zero-Day Attacks Decrease in Number (But Not in Severity) Sean Michael Kerner
For years, the SANS Institute and others in the security industry have been warning about a rise in zero-day attacks. For 2007, the message is actually a little bit different, with SANS reporting that zero-day attacks are actually on the decline.
In its 2007 Top 20 Vulnerabilities listing, SANS noted that "several zero day attacks were recorded in 2007 although that number has dropped from the previous year."
The listing, which does not rank vulnerabilities in order of severity, placed placed zero-day vulnerabilities at No. 18, which is actually the last spot.
During a conference call discussing the results, SANS Top 20 Project Manager Rohit Dhamankar explained that though zero-day attacks are 18th on the list, it doesn't imply that the associated risks are less serious.
"Zero-day was last not because it was least important, but it had already been captured in other categories," Dhamankar toldInternetNews.com. "By putting it in slot 18, it in no way implies that it is less important."
Nevertheless, Dhamankar, who is also senior manager of security research at TippingPoint, confirmed the report's findings that zero-day attacks are on the decline.
Ed Skoudis, who serves as course director for SANS Incident Handling and Hacker Exploits, explained during the conference call why he thinks zero-day attacks are on the decline.
"One of the reasons is that bad guys don't have to use them (zero day)," said Skoudis, who also founded information security consultancy Intelguardians.
For example, he said, the Storm worm propagates itself though users clicking on an e-mail link, and does not require a zero-day exploit to function.
"When simple techniques work, there is no need to unfurl zero-days," Skoudis said. "Attackers can just save them for more targeted attacks."
Another reason why zero-way attacks may well also be on the decline, according to Skoudis, is due to a change in the definition of what actually constitutes a real zero-day exploit.
"We've seen a phenomenon that we have Microsoft 'Patch Tuesday' and that day is followed by 'Zero-Day Wednesday,' when exploits come out," Skoudis said.
Exploits released on the Wednesday following "Patch Tuesday" are no longer considered to be zero-day, Skoudis said. He argued that zero-day Wednesday was never properly named as it should have been referred to as "1-Day Wednesday" since the exploits would be one-day old.
Dhamankar, meanwhile, said that nomenclature aside, the industry has seen a real decline in zero-days.
Neither SANS nor Dhamankar have yet to provide data on how they counted the zero-days.
Despite what appears to be good news on the zero-day front, the SANS listing had some grim findings as well, noting the continuance of a trend toward client-side attacks.
Dhamankar said that thus far during 2007, Microsoft has patched 32 different client-side issues. In contrast, during the same period, Microsoft patched only 6 server-side issues.
While Internet Explorer remains a prime target on the client side, Microsoft's Office applications are increasingly coming under attack as well. SANS reported that vulnerabilities reported in Microsoft Office applications grew 300 percent growth compared to last year.
"We have seen a huge jump in vulnerabilities found in Microsoft Office products, especially Excel and Word," said Amol Sarwate, director of Qualys' vulnerability research lab. "What we see in the wild is the number of compromised systems is directly proportional to the number of vulnerabilities found."
