Musings from the mind of Marcus….

So where were we? Oh, yeah zero-day threats.

The most interesting part lately (IMO anyway) of zero-day threats surround Microsoft patch releases. In recent months, there has been a growing correlation between when Microsoft releases their regular patches and the discovery/disclosure of zero-day exploits. They tend to appear +-3 days of the patch release, allowing them to maximize their window of opportunity. This would seem to evidence that attackers are exploiting this release model to their advantage. Bruce Schneier has also weighed in on this issue on his own blog.

Consider the following areas that contribute to zero-day exploits as a commodity:

• Vulnerability researcher dissatisfied with Vendor
• Government and Corporate Espionage (targeted data attacks instead of outbreaks)
• Vulnerability Bounty Programs
• Penetration code as a revenue producer for the attacker
• Advances in fuzzing and other vulnerability search tools

All these areas are converging to give rise to more potential zero-day threats.  Consider that Microsoft is closing in on having patched almost 100 Critical Vulnerabilities this year and that by the July of 2006 they had released more critical vulnerability patches than 2004 and 2005 combined.  Add to this 1 part bounty programs, 1 part easier fuzzing and you can easily see the potential for both zero-day exploits and targeted attacks becoming more prevelant than ever before.