How can an administrator secure a 0day before patches are available?
up vote
5
down vote
favorite
I'm working on a thesis about the hacker community.
When a 0day is published, how can an administrator secure his application/website between the time the 0day is published and the patch is developed ?
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats ?
zero-day black-hat white-hat
edited 1 hour ago
forest
29.3k1490104
asked 3 hours ago
K.Fanedoul
265
New contributor
K.Fanedoul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 1 more comment
up vote
5
down vote
favorite
I'm working on a thesis about the hacker community.
When a 0day is published, how can an administrator secure his application/website between the time the 0day is published and the patch is developed ?
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats ?
zero-day black-hat white-hat
edited 1 hour ago
forest
29.3k1490104
asked 3 hours ago
K.Fanedoul
265
New contributor
K.Fanedoul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
As a classification of their activities, yes. WHs locate vulnerabilities and often recommend solutions, but they are not typically the ones expected to deploy the solutions. They are external people given permission to test. A web admin is not classed as a "whitehat".
– schroeder♦
1 hour ago
I understand that they can be external but in this case, who secure the application after the testers did their job ? The admin ?
– K.Fanedoul
1 hour ago
Yes, the admin.
– schroeder♦
1 hour ago
Your latest edit changes the question sufficiently that the existing answer no longer applies.
– forest
1 hour ago
There's always one way to prevent every security issue immediately: Shutting down the system.
– Fabian Röling
1 hour ago
|
show 1 more comment
up vote
5
down vote
favorite
up vote
5
down vote
favorite
I'm working on a thesis about the hacker community.
When a 0day is published, how can an administrator secure his application/website between the time the 0day is published and the patch is developed ?
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats ?
zero-day black-hat white-hat
edited 1 hour ago
forest
29.3k1490104
asked 3 hours ago
K.Fanedoul
265
New contributor
K.Fanedoul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I'm working on a thesis about the hacker community.
When a 0day is published, how can an administrator secure his application/website between the time the 0day is published and the patch is developed ?
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats ?
zero-day black-hat white-hat
zero-day black-hat white-hat
edited 1 hour ago
forest
29.3k1490104
asked 3 hours ago
K.Fanedoul
265
New contributor
K.Fanedoul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
forest
29.3k1490104
asked 3 hours ago
K.Fanedoul
265
New contributor
K.Fanedoul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
forest
29.3k1490104
edited 1 hour ago
forest
29.3k1490104
edited 1 hour ago
forest
29.3k1490104
29.3k1490104
asked 3 hours ago
K.Fanedoul
265
New contributor
K.Fanedoul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 3 hours ago
K.Fanedoul
265
asked 3 hours ago
K.Fanedoul
265
265
New contributor
K.Fanedoul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
K.Fanedoul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
K.Fanedoul is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
As a classification of their activities, yes. WHs locate vulnerabilities and often recommend solutions, but they are not typically the ones expected to deploy the solutions. They are external people given permission to test. A web admin is not classed as a "whitehat".
– schroeder♦
1 hour ago
I understand that they can be external but in this case, who secure the application after the testers did their job ? The admin ?
– K.Fanedoul
1 hour ago
Yes, the admin.
– schroeder♦
1 hour ago
Your latest edit changes the question sufficiently that the existing answer no longer applies.
– forest
1 hour ago
There's always one way to prevent every security issue immediately: Shutting down the system.
– Fabian Röling
1 hour ago
|
show 1 more comment
As a classification of their activities, yes. WHs locate vulnerabilities and often recommend solutions, but they are not typically the ones expected to deploy the solutions. They are external people given permission to test. A web admin is not classed as a "whitehat".
– schroeder♦
1 hour ago
I understand that they can be external but in this case, who secure the application after the testers did their job ? The admin ?
– K.Fanedoul
1 hour ago
Yes, the admin.
– schroeder♦
1 hour ago
Your latest edit changes the question sufficiently that the existing answer no longer applies.
– forest
1 hour ago
There's always one way to prevent every security issue immediately: Shutting down the system.
– Fabian Röling
1 hour ago
As a classification of their activities, yes. WHs locate vulnerabilities and often recommend solutions, but they are not typically the ones expected to deploy the solutions. They are external people given permission to test. A web admin is not classed as a "whitehat".
– schroeder♦
1 hour ago
As a classification of their activities, yes. WHs locate vulnerabilities and often recommend solutions, but they are not typically the ones expected to deploy the solutions. They are external people given permission to test. A web admin is not classed as a "whitehat".
– schroeder♦
1 hour ago
I understand that they can be external but in this case, who secure the application after the testers did their job ? The admin ?
– K.Fanedoul
1 hour ago
I understand that they can be external but in this case, who secure the application after the testers did their job ? The admin ?
– K.Fanedoul
1 hour ago
Yes, the admin.
– schroeder♦
1 hour ago
Yes, the admin.
– schroeder♦
1 hour ago
Your latest edit changes the question sufficiently that the existing answer no longer applies.
– forest
1 hour ago
Your latest edit changes the question sufficiently that the existing answer no longer applies.
– forest
1 hour ago
There's always one way to prevent every security issue immediately: Shutting down the system.
– Fabian Röling
1 hour ago
There's always one way to prevent every security issue immediately: Shutting down the system.
– Fabian Röling
1 hour ago
|
show 1 more comment
4 Answers
4
active
oldest
votes
up vote
9
down vote
The person who discovers a security issue often reports it to the software vendor or developer first. This gives the software vendor time to fix the issue before publication. Then, after it is fixed the bug is publicly disclosed. This process is called responsible disclosure.
Sometimes, someone doesn't disclose the zero-day to the software vendor but uses it to hack other systems. Doing this can tip of security companies and disclose the bug, burning the zero-day.
I don't think your statement "most of the time, this same 0day is used since months by black hats" is true. This is true for some security issues, but a lot of zero-day bugs are found for the first time by white-hat hackers. I wouldn't say black hat hackers are ahead of white hat hackers. They both find security issues and some of these overlap. However, the offense has it easier than the defense in that the offense only needs to find one bug, and the defense needs to fix all the bugs.
answered 2 hours ago
Sjoerd
16.1k73856
Thank's for the answer, I said that : "most of the time, this same 0day is used since months by black hats" because i have read a lot of black hats interview saying that they are using those 0day way before any publication
– K.Fanedoul
2 hours ago
@pjc50 It is absolutely true that blackhats use 0days months (or years) before they are patched.
– forest
1 hour ago
@sjoerd note that the definitions in the question changed radically. OP meant "defenders" when the term "what hat" was used. Sorry for the whiplash.
– schroeder♦
1 hour ago
Apparently zero-days can have very long lifetimes; the paper referred to in this presentation claims zero-days have an average life expectancy of almost 7 years: youtube.com/watch?v=8BMULyCiSK4
– You
1 hour ago
@You: I'd take that number with a huge grain of salt. Just like pretty much any software bugs, most security issues that would have otherwise qualified as 0day are often fixed hours or days after said bug was introduced to a released version of the software, usually without much fanfare, but these never make news (or security trackers) because they don't affect many people. The 0day that tend to make news are those that lives the longest, so there's a massive selection bias.
– Lie Ryan
36 mins ago
|
show 2 more comments
up vote
3
down vote
When a zero-day is released or published, it comes with more than just a fancy name and icon. There are details about how the zero-day is used to exploit the system. Those details form the basis of the defender's response, including how the patch needs to be designed.
For example, with WannaCry/EternalBlue, the vulnerability was found by the NSA and they kept the knowledge to themselves (the same happens in the criminal community where vulnerabilities can be traded on the black market). The details were leaked, which informed Microsoft how to create the patch and it also informed administrators how to defend against it: disable SMBv1 or at least block the SMB port from the Internet.
That's how admins protect themselves. Patching is only one part of "vulnerability management". There are many things that an admin can do to manage vulnerabilities even if they cannot or do not want to patch.
In the WannaCry case, the NHS did not patch, but they also did not employ the other defenses that would have protected themselves.
One large part of my job is designing vulnerability mitigations for systems that cannot be patched for various business reasons. Patching is the better solution, in general, but sometimes it just isn't possible at the time of patching.
... are the blackhats ahead of whitehats?
That poses an interesting problem. If a blackhat finds a problem and only shares it with other blackhats (or other members of the intelligence community), does that mean that blackhats, in aggregate, are ahead of whitehats? Yes. Once a zero-day is exposed, it loses its power (that's the whole point of disclosing it). So to keep it secret, gives it power.
Are blackhats better skilled or use better techniques than whitehats? No. But the shared secrets gives blackhats more power, in aggregate.
answered 1 hour ago
schroeder♦
72.6k29160194
I disagree that shared secrets give blackhats more power in aggregate. While there is trading of information in the underground, it's highly localized. I believe it's the culture that prioritizes bug hunting (as opposed to mitigation research) which gives an edge to blackhats. You may fix one bug that I used ROP to exploit, but your lack of effective and ubiquitous CFI means I'll find another in no time.
– forest
32 mins ago
add a comment |
up vote
1
down vote
When a 0day is published, how can an administrator secure his application/website between the time the 0day is published and the patch is developed ?
They use temporary workarounds until a patch rolls out.
When news of a 0day comes out, there are often various workarounds that are published which break the exploit by eliminating some prerequisite for abusing the vulnerability. There are many possibilities:
Changing a configuration setting can disable vulnerable functionality.
Turning off vulnerable services, when practical, can prevent exploitation.
Enabling non-default security measures may break the exploit.
Every bug is different, and every mitigation is different. An administrator with a good understanding of security can figure out workarounds on their own if sufficient details about the vulnerability are released. Most administrators, however, will look to security advisories published by the software vendor.
Sometimes, an administrator doesn't have to do anything. This can be the case if the vulnerability only affects a non-default configuration, or a configuration which is not set on their systems. For example, a vulnerability in the DRM video subsystem for Linux need not worry a sysadmin with a LAMP stack, since their servers will not be using DRM anyway. A vulnerability in Apache, on the other hand, might be something they should worry about. A good sysadmin knows what is and isn't a risk factor.
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats ?
Whitehats are more sophisticated, but blackhats are more efficient.
Whether or not blackhats are ahead of whitehats is a very subjective question. Blackhats will use whatever works. This means their exploits are effective, but dirty and, at times, unsophisticated. For example, while it is possible to discover the ASLR layout of a browser via side-channel attacks, this isn't really used in the wild since ubiquitous unsophisticated ASLR bypasses already exist. Whitehats on the other hand need to think up fixes and actually get the software vendor to take the report seriously. This does not impact blackhats to nearly the same extent, as they can often start benefiting from their discovery the moment they make it. They don't need to wait for a third party.
From my own experience, blackhats often have a significant edge. This is primarily because the current culture among whitehats is to hunt and squash individual bugs. Less emphasis is put on squashing entire classes of bugs and when it is, sub-par and over-hyped mitigations are what are created (like KASLR). This means blackhats can pump out 0days faster than they can be patched, since so little attention is given to the attack surface area and exploitation vectors that keep being used and re-used.
answered 1 hour ago
forest
29.3k1490104
1
Another important difference is that the whitehats often have to convince the software vendor to fix the issue and find a fix/mitigation technique. The blackhats don't have to care about that.
– Lie Ryan
48 mins ago
@LieRyan Great point! That is very true.
– forest
47 mins ago
Zero-day whitehat researchers are academics? In my experience, they are commercial researchers employed by security vendors and companies. Difficult to get research funding for academic research into specific zero-days.
– schroeder♦
47 mins ago
@schroeder Most of them are academics when you look at the volume of research that is pumped out.
– forest
45 mins ago
I do look, that's why I'm commenting. Research is done by academics. Zero-days are different.
– schroeder♦
44 mins ago
|
show 1 more comment
up vote
1
down vote
When a 0day is published, how can a whitehat secure his application/website between the time the 0day is published and the patch is developed?
Sometimes there are workarounds which fix or mitigate the problem.
- Sometimes you can disable some feature or change some setting in the software which causes the exploit to not work anymore. For example, infection with the Morris Worm from 1988 could be prevented by creating a directory
/usr/tmp/sh. This confused the worm and prevented it from working. - Sometimes the exploit requires some kind of user interaction. In that case you can warn the users to not do that. ("Do not open emails with the subject line ILOVEYOU")
- Sometimes the attack is easy to identify on the network, so you can block it with some more or less complicated firewall rule. The Conficker virus, for example, was targeting a vulnerability in the Windows Remote Procedure Call service. There was usually no reason for this feature to be accessible from outside the local network at all, so it was possible to protect a whole network by simply blocking outside requests to port 445 TCP.
But that's not always the case.
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats?
It happens quite frequently that developers / whitehats discover a possible security vulnerability in their software and patch it before it gets exploited. The first step of responsible disclosure is to inform the developers so they can fix the vulnerability before you publish it.
But you usually don't hear about that in the media. When point 59 of the patch notes for SomeTool 1.3.9.53 reads "fixed possible buffer overflow when processing malformed foobar files" that's usually not particularly newsworthy.
answered 1 hour ago
Philipp
43.7k7112138
I believe your Morris worm example is a poor one. The Morris worm used several vulnerabilities for jumping between and infecting systems, of which the fingerd flaw was one. (There was also at least sendmail's debug mode, and common user account passwords.) If I recall correctly, the real trick to defuse that one was tomkdir /tmp/sh.
– a CVn
36 mins ago
@aCVn Fixed. Thank you.
– Philipp
2 mins ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
K.Fanedoul is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199672%2fhow-can-an-administrator-secure-a-0day-before-patches-are-available%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
9
down vote
The person who discovers a security issue often reports it to the software vendor or developer first. This gives the software vendor time to fix the issue before publication. Then, after it is fixed the bug is publicly disclosed. This process is called responsible disclosure.
Sometimes, someone doesn't disclose the zero-day to the software vendor but uses it to hack other systems. Doing this can tip of security companies and disclose the bug, burning the zero-day.
I don't think your statement "most of the time, this same 0day is used since months by black hats" is true. This is true for some security issues, but a lot of zero-day bugs are found for the first time by white-hat hackers. I wouldn't say black hat hackers are ahead of white hat hackers. They both find security issues and some of these overlap. However, the offense has it easier than the defense in that the offense only needs to find one bug, and the defense needs to fix all the bugs.
answered 2 hours ago
Sjoerd
16.1k73856
Thank's for the answer, I said that : "most of the time, this same 0day is used since months by black hats" because i have read a lot of black hats interview saying that they are using those 0day way before any publication
– K.Fanedoul
2 hours ago
@pjc50 It is absolutely true that blackhats use 0days months (or years) before they are patched.
– forest
1 hour ago
@sjoerd note that the definitions in the question changed radically. OP meant "defenders" when the term "what hat" was used. Sorry for the whiplash.
– schroeder♦
1 hour ago
Apparently zero-days can have very long lifetimes; the paper referred to in this presentation claims zero-days have an average life expectancy of almost 7 years: youtube.com/watch?v=8BMULyCiSK4
– You
1 hour ago
@You: I'd take that number with a huge grain of salt. Just like pretty much any software bugs, most security issues that would have otherwise qualified as 0day are often fixed hours or days after said bug was introduced to a released version of the software, usually without much fanfare, but these never make news (or security trackers) because they don't affect many people. The 0day that tend to make news are those that lives the longest, so there's a massive selection bias.
– Lie Ryan
36 mins ago
|
show 2 more comments
up vote
9
down vote
The person who discovers a security issue often reports it to the software vendor or developer first. This gives the software vendor time to fix the issue before publication. Then, after it is fixed the bug is publicly disclosed. This process is called responsible disclosure.
Sometimes, someone doesn't disclose the zero-day to the software vendor but uses it to hack other systems. Doing this can tip of security companies and disclose the bug, burning the zero-day.
I don't think your statement "most of the time, this same 0day is used since months by black hats" is true. This is true for some security issues, but a lot of zero-day bugs are found for the first time by white-hat hackers. I wouldn't say black hat hackers are ahead of white hat hackers. They both find security issues and some of these overlap. However, the offense has it easier than the defense in that the offense only needs to find one bug, and the defense needs to fix all the bugs.
answered 2 hours ago
Sjoerd
16.1k73856
Thank's for the answer, I said that : "most of the time, this same 0day is used since months by black hats" because i have read a lot of black hats interview saying that they are using those 0day way before any publication
– K.Fanedoul
2 hours ago
@pjc50 It is absolutely true that blackhats use 0days months (or years) before they are patched.
– forest
1 hour ago
@sjoerd note that the definitions in the question changed radically. OP meant "defenders" when the term "what hat" was used. Sorry for the whiplash.
– schroeder♦
1 hour ago
Apparently zero-days can have very long lifetimes; the paper referred to in this presentation claims zero-days have an average life expectancy of almost 7 years: youtube.com/watch?v=8BMULyCiSK4
– You
1 hour ago
@You: I'd take that number with a huge grain of salt. Just like pretty much any software bugs, most security issues that would have otherwise qualified as 0day are often fixed hours or days after said bug was introduced to a released version of the software, usually without much fanfare, but these never make news (or security trackers) because they don't affect many people. The 0day that tend to make news are those that lives the longest, so there's a massive selection bias.
– Lie Ryan
36 mins ago
|
show 2 more comments
up vote
9
down vote
up vote
9
down vote
The person who discovers a security issue often reports it to the software vendor or developer first. This gives the software vendor time to fix the issue before publication. Then, after it is fixed the bug is publicly disclosed. This process is called responsible disclosure.
Sometimes, someone doesn't disclose the zero-day to the software vendor but uses it to hack other systems. Doing this can tip of security companies and disclose the bug, burning the zero-day.
I don't think your statement "most of the time, this same 0day is used since months by black hats" is true. This is true for some security issues, but a lot of zero-day bugs are found for the first time by white-hat hackers. I wouldn't say black hat hackers are ahead of white hat hackers. They both find security issues and some of these overlap. However, the offense has it easier than the defense in that the offense only needs to find one bug, and the defense needs to fix all the bugs.
answered 2 hours ago
Sjoerd
16.1k73856
The person who discovers a security issue often reports it to the software vendor or developer first. This gives the software vendor time to fix the issue before publication. Then, after it is fixed the bug is publicly disclosed. This process is called responsible disclosure.
Sometimes, someone doesn't disclose the zero-day to the software vendor but uses it to hack other systems. Doing this can tip of security companies and disclose the bug, burning the zero-day.
I don't think your statement "most of the time, this same 0day is used since months by black hats" is true. This is true for some security issues, but a lot of zero-day bugs are found for the first time by white-hat hackers. I wouldn't say black hat hackers are ahead of white hat hackers. They both find security issues and some of these overlap. However, the offense has it easier than the defense in that the offense only needs to find one bug, and the defense needs to fix all the bugs.
answered 2 hours ago
Sjoerd
16.1k73856
answered 2 hours ago
Sjoerd
16.1k73856
answered 2 hours ago
Sjoerd
16.1k73856
answered 2 hours ago
Sjoerd
16.1k73856
16.1k73856
Thank's for the answer, I said that : "most of the time, this same 0day is used since months by black hats" because i have read a lot of black hats interview saying that they are using those 0day way before any publication
– K.Fanedoul
2 hours ago
@pjc50 It is absolutely true that blackhats use 0days months (or years) before they are patched.
– forest
1 hour ago
@sjoerd note that the definitions in the question changed radically. OP meant "defenders" when the term "what hat" was used. Sorry for the whiplash.
– schroeder♦
1 hour ago
Apparently zero-days can have very long lifetimes; the paper referred to in this presentation claims zero-days have an average life expectancy of almost 7 years: youtube.com/watch?v=8BMULyCiSK4
– You
1 hour ago
@You: I'd take that number with a huge grain of salt. Just like pretty much any software bugs, most security issues that would have otherwise qualified as 0day are often fixed hours or days after said bug was introduced to a released version of the software, usually without much fanfare, but these never make news (or security trackers) because they don't affect many people. The 0day that tend to make news are those that lives the longest, so there's a massive selection bias.
– Lie Ryan
36 mins ago
|
show 2 more comments
Thank's for the answer, I said that : "most of the time, this same 0day is used since months by black hats" because i have read a lot of black hats interview saying that they are using those 0day way before any publication
– K.Fanedoul
2 hours ago
@pjc50 It is absolutely true that blackhats use 0days months (or years) before they are patched.
– forest
1 hour ago
@sjoerd note that the definitions in the question changed radically. OP meant "defenders" when the term "what hat" was used. Sorry for the whiplash.
– schroeder♦
1 hour ago
Apparently zero-days can have very long lifetimes; the paper referred to in this presentation claims zero-days have an average life expectancy of almost 7 years: youtube.com/watch?v=8BMULyCiSK4
– You
1 hour ago
@You: I'd take that number with a huge grain of salt. Just like pretty much any software bugs, most security issues that would have otherwise qualified as 0day are often fixed hours or days after said bug was introduced to a released version of the software, usually without much fanfare, but these never make news (or security trackers) because they don't affect many people. The 0day that tend to make news are those that lives the longest, so there's a massive selection bias.
– Lie Ryan
36 mins ago
Thank's for the answer, I said that : "most of the time, this same 0day is used since months by black hats" because i have read a lot of black hats interview saying that they are using those 0day way before any publication
– K.Fanedoul
2 hours ago
Thank's for the answer, I said that : "most of the time, this same 0day is used since months by black hats" because i have read a lot of black hats interview saying that they are using those 0day way before any publication
– K.Fanedoul
2 hours ago
@pjc50 It is absolutely true that blackhats use 0days months (or years) before they are patched.
– forest
1 hour ago
@pjc50 It is absolutely true that blackhats use 0days months (or years) before they are patched.
– forest
1 hour ago
@sjoerd note that the definitions in the question changed radically. OP meant "defenders" when the term "what hat" was used. Sorry for the whiplash.
– schroeder♦
1 hour ago
@sjoerd note that the definitions in the question changed radically. OP meant "defenders" when the term "what hat" was used. Sorry for the whiplash.
– schroeder♦
1 hour ago
Apparently zero-days can have very long lifetimes; the paper referred to in this presentation claims zero-days have an average life expectancy of almost 7 years: youtube.com/watch?v=8BMULyCiSK4
– You
1 hour ago
Apparently zero-days can have very long lifetimes; the paper referred to in this presentation claims zero-days have an average life expectancy of almost 7 years: youtube.com/watch?v=8BMULyCiSK4
– You
1 hour ago
@You: I'd take that number with a huge grain of salt. Just like pretty much any software bugs, most security issues that would have otherwise qualified as 0day are often fixed hours or days after said bug was introduced to a released version of the software, usually without much fanfare, but these never make news (or security trackers) because they don't affect many people. The 0day that tend to make news are those that lives the longest, so there's a massive selection bias.
– Lie Ryan
36 mins ago
@You: I'd take that number with a huge grain of salt. Just like pretty much any software bugs, most security issues that would have otherwise qualified as 0day are often fixed hours or days after said bug was introduced to a released version of the software, usually without much fanfare, but these never make news (or security trackers) because they don't affect many people. The 0day that tend to make news are those that lives the longest, so there's a massive selection bias.
– Lie Ryan
36 mins ago
|
show 2 more comments
up vote
3
down vote
When a zero-day is released or published, it comes with more than just a fancy name and icon. There are details about how the zero-day is used to exploit the system. Those details form the basis of the defender's response, including how the patch needs to be designed.
For example, with WannaCry/EternalBlue, the vulnerability was found by the NSA and they kept the knowledge to themselves (the same happens in the criminal community where vulnerabilities can be traded on the black market). The details were leaked, which informed Microsoft how to create the patch and it also informed administrators how to defend against it: disable SMBv1 or at least block the SMB port from the Internet.
That's how admins protect themselves. Patching is only one part of "vulnerability management". There are many things that an admin can do to manage vulnerabilities even if they cannot or do not want to patch.
In the WannaCry case, the NHS did not patch, but they also did not employ the other defenses that would have protected themselves.
One large part of my job is designing vulnerability mitigations for systems that cannot be patched for various business reasons. Patching is the better solution, in general, but sometimes it just isn't possible at the time of patching.
... are the blackhats ahead of whitehats?
That poses an interesting problem. If a blackhat finds a problem and only shares it with other blackhats (or other members of the intelligence community), does that mean that blackhats, in aggregate, are ahead of whitehats? Yes. Once a zero-day is exposed, it loses its power (that's the whole point of disclosing it). So to keep it secret, gives it power.
Are blackhats better skilled or use better techniques than whitehats? No. But the shared secrets gives blackhats more power, in aggregate.
answered 1 hour ago
schroeder♦
72.6k29160194
I disagree that shared secrets give blackhats more power in aggregate. While there is trading of information in the underground, it's highly localized. I believe it's the culture that prioritizes bug hunting (as opposed to mitigation research) which gives an edge to blackhats. You may fix one bug that I used ROP to exploit, but your lack of effective and ubiquitous CFI means I'll find another in no time.
– forest
32 mins ago
add a comment |
up vote
3
down vote
When a zero-day is released or published, it comes with more than just a fancy name and icon. There are details about how the zero-day is used to exploit the system. Those details form the basis of the defender's response, including how the patch needs to be designed.
For example, with WannaCry/EternalBlue, the vulnerability was found by the NSA and they kept the knowledge to themselves (the same happens in the criminal community where vulnerabilities can be traded on the black market). The details were leaked, which informed Microsoft how to create the patch and it also informed administrators how to defend against it: disable SMBv1 or at least block the SMB port from the Internet.
That's how admins protect themselves. Patching is only one part of "vulnerability management". There are many things that an admin can do to manage vulnerabilities even if they cannot or do not want to patch.
In the WannaCry case, the NHS did not patch, but they also did not employ the other defenses that would have protected themselves.
One large part of my job is designing vulnerability mitigations for systems that cannot be patched for various business reasons. Patching is the better solution, in general, but sometimes it just isn't possible at the time of patching.
... are the blackhats ahead of whitehats?
That poses an interesting problem. If a blackhat finds a problem and only shares it with other blackhats (or other members of the intelligence community), does that mean that blackhats, in aggregate, are ahead of whitehats? Yes. Once a zero-day is exposed, it loses its power (that's the whole point of disclosing it). So to keep it secret, gives it power.
Are blackhats better skilled or use better techniques than whitehats? No. But the shared secrets gives blackhats more power, in aggregate.
answered 1 hour ago
schroeder♦
72.6k29160194
I disagree that shared secrets give blackhats more power in aggregate. While there is trading of information in the underground, it's highly localized. I believe it's the culture that prioritizes bug hunting (as opposed to mitigation research) which gives an edge to blackhats. You may fix one bug that I used ROP to exploit, but your lack of effective and ubiquitous CFI means I'll find another in no time.
– forest
32 mins ago
add a comment |
up vote
3
down vote
up vote
3
down vote
When a zero-day is released or published, it comes with more than just a fancy name and icon. There are details about how the zero-day is used to exploit the system. Those details form the basis of the defender's response, including how the patch needs to be designed.
For example, with WannaCry/EternalBlue, the vulnerability was found by the NSA and they kept the knowledge to themselves (the same happens in the criminal community where vulnerabilities can be traded on the black market). The details were leaked, which informed Microsoft how to create the patch and it also informed administrators how to defend against it: disable SMBv1 or at least block the SMB port from the Internet.
That's how admins protect themselves. Patching is only one part of "vulnerability management". There are many things that an admin can do to manage vulnerabilities even if they cannot or do not want to patch.
In the WannaCry case, the NHS did not patch, but they also did not employ the other defenses that would have protected themselves.
One large part of my job is designing vulnerability mitigations for systems that cannot be patched for various business reasons. Patching is the better solution, in general, but sometimes it just isn't possible at the time of patching.
... are the blackhats ahead of whitehats?
That poses an interesting problem. If a blackhat finds a problem and only shares it with other blackhats (or other members of the intelligence community), does that mean that blackhats, in aggregate, are ahead of whitehats? Yes. Once a zero-day is exposed, it loses its power (that's the whole point of disclosing it). So to keep it secret, gives it power.
Are blackhats better skilled or use better techniques than whitehats? No. But the shared secrets gives blackhats more power, in aggregate.
answered 1 hour ago
schroeder♦
72.6k29160194
When a zero-day is released or published, it comes with more than just a fancy name and icon. There are details about how the zero-day is used to exploit the system. Those details form the basis of the defender's response, including how the patch needs to be designed.
For example, with WannaCry/EternalBlue, the vulnerability was found by the NSA and they kept the knowledge to themselves (the same happens in the criminal community where vulnerabilities can be traded on the black market). The details were leaked, which informed Microsoft how to create the patch and it also informed administrators how to defend against it: disable SMBv1 or at least block the SMB port from the Internet.
That's how admins protect themselves. Patching is only one part of "vulnerability management". There are many things that an admin can do to manage vulnerabilities even if they cannot or do not want to patch.
In the WannaCry case, the NHS did not patch, but they also did not employ the other defenses that would have protected themselves.
One large part of my job is designing vulnerability mitigations for systems that cannot be patched for various business reasons. Patching is the better solution, in general, but sometimes it just isn't possible at the time of patching.
... are the blackhats ahead of whitehats?
That poses an interesting problem. If a blackhat finds a problem and only shares it with other blackhats (or other members of the intelligence community), does that mean that blackhats, in aggregate, are ahead of whitehats? Yes. Once a zero-day is exposed, it loses its power (that's the whole point of disclosing it). So to keep it secret, gives it power.
Are blackhats better skilled or use better techniques than whitehats? No. But the shared secrets gives blackhats more power, in aggregate.
answered 1 hour ago
schroeder♦
72.6k29160194
edited 1 hour ago
answered 1 hour ago
schroeder♦
72.6k29160194
answered 1 hour ago
schroeder♦
72.6k29160194
answered 1 hour ago
schroeder♦
72.6k29160194
72.6k29160194
I disagree that shared secrets give blackhats more power in aggregate. While there is trading of information in the underground, it's highly localized. I believe it's the culture that prioritizes bug hunting (as opposed to mitigation research) which gives an edge to blackhats. You may fix one bug that I used ROP to exploit, but your lack of effective and ubiquitous CFI means I'll find another in no time.
– forest
32 mins ago
add a comment |
I disagree that shared secrets give blackhats more power in aggregate. While there is trading of information in the underground, it's highly localized. I believe it's the culture that prioritizes bug hunting (as opposed to mitigation research) which gives an edge to blackhats. You may fix one bug that I used ROP to exploit, but your lack of effective and ubiquitous CFI means I'll find another in no time.
– forest
32 mins ago
I disagree that shared secrets give blackhats more power in aggregate. While there is trading of information in the underground, it's highly localized. I believe it's the culture that prioritizes bug hunting (as opposed to mitigation research) which gives an edge to blackhats. You may fix one bug that I used ROP to exploit, but your lack of effective and ubiquitous CFI means I'll find another in no time.
– forest
32 mins ago
I disagree that shared secrets give blackhats more power in aggregate. While there is trading of information in the underground, it's highly localized. I believe it's the culture that prioritizes bug hunting (as opposed to mitigation research) which gives an edge to blackhats. You may fix one bug that I used ROP to exploit, but your lack of effective and ubiquitous CFI means I'll find another in no time.
– forest
32 mins ago
add a comment |
up vote
1
down vote
When a 0day is published, how can an administrator secure his application/website between the time the 0day is published and the patch is developed ?
They use temporary workarounds until a patch rolls out.
When news of a 0day comes out, there are often various workarounds that are published which break the exploit by eliminating some prerequisite for abusing the vulnerability. There are many possibilities:
Changing a configuration setting can disable vulnerable functionality.
Turning off vulnerable services, when practical, can prevent exploitation.
Enabling non-default security measures may break the exploit.
Every bug is different, and every mitigation is different. An administrator with a good understanding of security can figure out workarounds on their own if sufficient details about the vulnerability are released. Most administrators, however, will look to security advisories published by the software vendor.
Sometimes, an administrator doesn't have to do anything. This can be the case if the vulnerability only affects a non-default configuration, or a configuration which is not set on their systems. For example, a vulnerability in the DRM video subsystem for Linux need not worry a sysadmin with a LAMP stack, since their servers will not be using DRM anyway. A vulnerability in Apache, on the other hand, might be something they should worry about. A good sysadmin knows what is and isn't a risk factor.
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats ?
Whitehats are more sophisticated, but blackhats are more efficient.
Whether or not blackhats are ahead of whitehats is a very subjective question. Blackhats will use whatever works. This means their exploits are effective, but dirty and, at times, unsophisticated. For example, while it is possible to discover the ASLR layout of a browser via side-channel attacks, this isn't really used in the wild since ubiquitous unsophisticated ASLR bypasses already exist. Whitehats on the other hand need to think up fixes and actually get the software vendor to take the report seriously. This does not impact blackhats to nearly the same extent, as they can often start benefiting from their discovery the moment they make it. They don't need to wait for a third party.
From my own experience, blackhats often have a significant edge. This is primarily because the current culture among whitehats is to hunt and squash individual bugs. Less emphasis is put on squashing entire classes of bugs and when it is, sub-par and over-hyped mitigations are what are created (like KASLR). This means blackhats can pump out 0days faster than they can be patched, since so little attention is given to the attack surface area and exploitation vectors that keep being used and re-used.
answered 1 hour ago
forest
29.3k1490104
1
Another important difference is that the whitehats often have to convince the software vendor to fix the issue and find a fix/mitigation technique. The blackhats don't have to care about that.
– Lie Ryan
48 mins ago
@LieRyan Great point! That is very true.
– forest
47 mins ago
Zero-day whitehat researchers are academics? In my experience, they are commercial researchers employed by security vendors and companies. Difficult to get research funding for academic research into specific zero-days.
– schroeder♦
47 mins ago
@schroeder Most of them are academics when you look at the volume of research that is pumped out.
– forest
45 mins ago
I do look, that's why I'm commenting. Research is done by academics. Zero-days are different.
– schroeder♦
44 mins ago
|
show 1 more comment
up vote
1
down vote
When a 0day is published, how can an administrator secure his application/website between the time the 0day is published and the patch is developed ?
They use temporary workarounds until a patch rolls out.
When news of a 0day comes out, there are often various workarounds that are published which break the exploit by eliminating some prerequisite for abusing the vulnerability. There are many possibilities:
Changing a configuration setting can disable vulnerable functionality.
Turning off vulnerable services, when practical, can prevent exploitation.
Enabling non-default security measures may break the exploit.
Every bug is different, and every mitigation is different. An administrator with a good understanding of security can figure out workarounds on their own if sufficient details about the vulnerability are released. Most administrators, however, will look to security advisories published by the software vendor.
Sometimes, an administrator doesn't have to do anything. This can be the case if the vulnerability only affects a non-default configuration, or a configuration which is not set on their systems. For example, a vulnerability in the DRM video subsystem for Linux need not worry a sysadmin with a LAMP stack, since their servers will not be using DRM anyway. A vulnerability in Apache, on the other hand, might be something they should worry about. A good sysadmin knows what is and isn't a risk factor.
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats ?
Whitehats are more sophisticated, but blackhats are more efficient.
Whether or not blackhats are ahead of whitehats is a very subjective question. Blackhats will use whatever works. This means their exploits are effective, but dirty and, at times, unsophisticated. For example, while it is possible to discover the ASLR layout of a browser via side-channel attacks, this isn't really used in the wild since ubiquitous unsophisticated ASLR bypasses already exist. Whitehats on the other hand need to think up fixes and actually get the software vendor to take the report seriously. This does not impact blackhats to nearly the same extent, as they can often start benefiting from their discovery the moment they make it. They don't need to wait for a third party.
From my own experience, blackhats often have a significant edge. This is primarily because the current culture among whitehats is to hunt and squash individual bugs. Less emphasis is put on squashing entire classes of bugs and when it is, sub-par and over-hyped mitigations are what are created (like KASLR). This means blackhats can pump out 0days faster than they can be patched, since so little attention is given to the attack surface area and exploitation vectors that keep being used and re-used.
answered 1 hour ago
forest
29.3k1490104
1
Another important difference is that the whitehats often have to convince the software vendor to fix the issue and find a fix/mitigation technique. The blackhats don't have to care about that.
– Lie Ryan
48 mins ago
@LieRyan Great point! That is very true.
– forest
47 mins ago
Zero-day whitehat researchers are academics? In my experience, they are commercial researchers employed by security vendors and companies. Difficult to get research funding for academic research into specific zero-days.
– schroeder♦
47 mins ago
@schroeder Most of them are academics when you look at the volume of research that is pumped out.
– forest
45 mins ago
I do look, that's why I'm commenting. Research is done by academics. Zero-days are different.
– schroeder♦
44 mins ago
|
show 1 more comment
up vote
1
down vote
up vote
1
down vote
When a 0day is published, how can an administrator secure his application/website between the time the 0day is published and the patch is developed ?
They use temporary workarounds until a patch rolls out.
When news of a 0day comes out, there are often various workarounds that are published which break the exploit by eliminating some prerequisite for abusing the vulnerability. There are many possibilities:
Changing a configuration setting can disable vulnerable functionality.
Turning off vulnerable services, when practical, can prevent exploitation.
Enabling non-default security measures may break the exploit.
Every bug is different, and every mitigation is different. An administrator with a good understanding of security can figure out workarounds on their own if sufficient details about the vulnerability are released. Most administrators, however, will look to security advisories published by the software vendor.
Sometimes, an administrator doesn't have to do anything. This can be the case if the vulnerability only affects a non-default configuration, or a configuration which is not set on their systems. For example, a vulnerability in the DRM video subsystem for Linux need not worry a sysadmin with a LAMP stack, since their servers will not be using DRM anyway. A vulnerability in Apache, on the other hand, might be something they should worry about. A good sysadmin knows what is and isn't a risk factor.
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats ?
Whitehats are more sophisticated, but blackhats are more efficient.
Whether or not blackhats are ahead of whitehats is a very subjective question. Blackhats will use whatever works. This means their exploits are effective, but dirty and, at times, unsophisticated. For example, while it is possible to discover the ASLR layout of a browser via side-channel attacks, this isn't really used in the wild since ubiquitous unsophisticated ASLR bypasses already exist. Whitehats on the other hand need to think up fixes and actually get the software vendor to take the report seriously. This does not impact blackhats to nearly the same extent, as they can often start benefiting from their discovery the moment they make it. They don't need to wait for a third party.
From my own experience, blackhats often have a significant edge. This is primarily because the current culture among whitehats is to hunt and squash individual bugs. Less emphasis is put on squashing entire classes of bugs and when it is, sub-par and over-hyped mitigations are what are created (like KASLR). This means blackhats can pump out 0days faster than they can be patched, since so little attention is given to the attack surface area and exploitation vectors that keep being used and re-used.
answered 1 hour ago
forest
29.3k1490104
When a 0day is published, how can an administrator secure his application/website between the time the 0day is published and the patch is developed ?
They use temporary workarounds until a patch rolls out.
When news of a 0day comes out, there are often various workarounds that are published which break the exploit by eliminating some prerequisite for abusing the vulnerability. There are many possibilities:
Changing a configuration setting can disable vulnerable functionality.
Turning off vulnerable services, when practical, can prevent exploitation.
Enabling non-default security measures may break the exploit.
Every bug is different, and every mitigation is different. An administrator with a good understanding of security can figure out workarounds on their own if sufficient details about the vulnerability are released. Most administrators, however, will look to security advisories published by the software vendor.
Sometimes, an administrator doesn't have to do anything. This can be the case if the vulnerability only affects a non-default configuration, or a configuration which is not set on their systems. For example, a vulnerability in the DRM video subsystem for Linux need not worry a sysadmin with a LAMP stack, since their servers will not be using DRM anyway. A vulnerability in Apache, on the other hand, might be something they should worry about. A good sysadmin knows what is and isn't a risk factor.
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats ?
Whitehats are more sophisticated, but blackhats are more efficient.
Whether or not blackhats are ahead of whitehats is a very subjective question. Blackhats will use whatever works. This means their exploits are effective, but dirty and, at times, unsophisticated. For example, while it is possible to discover the ASLR layout of a browser via side-channel attacks, this isn't really used in the wild since ubiquitous unsophisticated ASLR bypasses already exist. Whitehats on the other hand need to think up fixes and actually get the software vendor to take the report seriously. This does not impact blackhats to nearly the same extent, as they can often start benefiting from their discovery the moment they make it. They don't need to wait for a third party.
From my own experience, blackhats often have a significant edge. This is primarily because the current culture among whitehats is to hunt and squash individual bugs. Less emphasis is put on squashing entire classes of bugs and when it is, sub-par and over-hyped mitigations are what are created (like KASLR). This means blackhats can pump out 0days faster than they can be patched, since so little attention is given to the attack surface area and exploitation vectors that keep being used and re-used.
answered 1 hour ago
forest
29.3k1490104
edited 40 mins ago
answered 1 hour ago
forest
29.3k1490104
answered 1 hour ago
forest
29.3k1490104
answered 1 hour ago
forest
29.3k1490104
29.3k1490104
1
Another important difference is that the whitehats often have to convince the software vendor to fix the issue and find a fix/mitigation technique. The blackhats don't have to care about that.
– Lie Ryan
48 mins ago
@LieRyan Great point! That is very true.
– forest
47 mins ago
Zero-day whitehat researchers are academics? In my experience, they are commercial researchers employed by security vendors and companies. Difficult to get research funding for academic research into specific zero-days.
– schroeder♦
47 mins ago
@schroeder Most of them are academics when you look at the volume of research that is pumped out.
– forest
45 mins ago
I do look, that's why I'm commenting. Research is done by academics. Zero-days are different.
– schroeder♦
44 mins ago
|
show 1 more comment
1
Another important difference is that the whitehats often have to convince the software vendor to fix the issue and find a fix/mitigation technique. The blackhats don't have to care about that.
– Lie Ryan
48 mins ago
@LieRyan Great point! That is very true.
– forest
47 mins ago
Zero-day whitehat researchers are academics? In my experience, they are commercial researchers employed by security vendors and companies. Difficult to get research funding for academic research into specific zero-days.
– schroeder♦
47 mins ago
@schroeder Most of them are academics when you look at the volume of research that is pumped out.
– forest
45 mins ago
I do look, that's why I'm commenting. Research is done by academics. Zero-days are different.
– schroeder♦
44 mins ago
1
1
Another important difference is that the whitehats often have to convince the software vendor to fix the issue and find a fix/mitigation technique. The blackhats don't have to care about that.
– Lie Ryan
48 mins ago
Another important difference is that the whitehats often have to convince the software vendor to fix the issue and find a fix/mitigation technique. The blackhats don't have to care about that.
– Lie Ryan
48 mins ago
@LieRyan Great point! That is very true.
– forest
47 mins ago
@LieRyan Great point! That is very true.
– forest
47 mins ago
Zero-day whitehat researchers are academics? In my experience, they are commercial researchers employed by security vendors and companies. Difficult to get research funding for academic research into specific zero-days.
– schroeder♦
47 mins ago
Zero-day whitehat researchers are academics? In my experience, they are commercial researchers employed by security vendors and companies. Difficult to get research funding for academic research into specific zero-days.
– schroeder♦
47 mins ago
@schroeder Most of them are academics when you look at the volume of research that is pumped out.
– forest
45 mins ago
@schroeder Most of them are academics when you look at the volume of research that is pumped out.
– forest
45 mins ago
I do look, that's why I'm commenting. Research is done by academics. Zero-days are different.
– schroeder♦
44 mins ago
I do look, that's why I'm commenting. Research is done by academics. Zero-days are different.
– schroeder♦
44 mins ago
|
show 1 more comment
up vote
1
down vote
When a 0day is published, how can a whitehat secure his application/website between the time the 0day is published and the patch is developed?
Sometimes there are workarounds which fix or mitigate the problem.
- Sometimes you can disable some feature or change some setting in the software which causes the exploit to not work anymore. For example, infection with the Morris Worm from 1988 could be prevented by creating a directory
/usr/tmp/sh. This confused the worm and prevented it from working. - Sometimes the exploit requires some kind of user interaction. In that case you can warn the users to not do that. ("Do not open emails with the subject line ILOVEYOU")
- Sometimes the attack is easy to identify on the network, so you can block it with some more or less complicated firewall rule. The Conficker virus, for example, was targeting a vulnerability in the Windows Remote Procedure Call service. There was usually no reason for this feature to be accessible from outside the local network at all, so it was possible to protect a whole network by simply blocking outside requests to port 445 TCP.
But that's not always the case.
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats?
It happens quite frequently that developers / whitehats discover a possible security vulnerability in their software and patch it before it gets exploited. The first step of responsible disclosure is to inform the developers so they can fix the vulnerability before you publish it.
But you usually don't hear about that in the media. When point 59 of the patch notes for SomeTool 1.3.9.53 reads "fixed possible buffer overflow when processing malformed foobar files" that's usually not particularly newsworthy.
answered 1 hour ago
Philipp
43.7k7112138
I believe your Morris worm example is a poor one. The Morris worm used several vulnerabilities for jumping between and infecting systems, of which the fingerd flaw was one. (There was also at least sendmail's debug mode, and common user account passwords.) If I recall correctly, the real trick to defuse that one was tomkdir /tmp/sh.
– a CVn
36 mins ago
@aCVn Fixed. Thank you.
– Philipp
2 mins ago
add a comment |
up vote
1
down vote
When a 0day is published, how can a whitehat secure his application/website between the time the 0day is published and the patch is developed?
Sometimes there are workarounds which fix or mitigate the problem.
- Sometimes you can disable some feature or change some setting in the software which causes the exploit to not work anymore. For example, infection with the Morris Worm from 1988 could be prevented by creating a directory
/usr/tmp/sh. This confused the worm and prevented it from working. - Sometimes the exploit requires some kind of user interaction. In that case you can warn the users to not do that. ("Do not open emails with the subject line ILOVEYOU")
- Sometimes the attack is easy to identify on the network, so you can block it with some more or less complicated firewall rule. The Conficker virus, for example, was targeting a vulnerability in the Windows Remote Procedure Call service. There was usually no reason for this feature to be accessible from outside the local network at all, so it was possible to protect a whole network by simply blocking outside requests to port 445 TCP.
But that's not always the case.
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats?
It happens quite frequently that developers / whitehats discover a possible security vulnerability in their software and patch it before it gets exploited. The first step of responsible disclosure is to inform the developers so they can fix the vulnerability before you publish it.
But you usually don't hear about that in the media. When point 59 of the patch notes for SomeTool 1.3.9.53 reads "fixed possible buffer overflow when processing malformed foobar files" that's usually not particularly newsworthy.
answered 1 hour ago
Philipp
43.7k7112138
I believe your Morris worm example is a poor one. The Morris worm used several vulnerabilities for jumping between and infecting systems, of which the fingerd flaw was one. (There was also at least sendmail's debug mode, and common user account passwords.) If I recall correctly, the real trick to defuse that one was tomkdir /tmp/sh.
– a CVn
36 mins ago
@aCVn Fixed. Thank you.
– Philipp
2 mins ago
add a comment |
up vote
1
down vote
up vote
1
down vote
When a 0day is published, how can a whitehat secure his application/website between the time the 0day is published and the patch is developed?
Sometimes there are workarounds which fix or mitigate the problem.
- Sometimes you can disable some feature or change some setting in the software which causes the exploit to not work anymore. For example, infection with the Morris Worm from 1988 could be prevented by creating a directory
/usr/tmp/sh. This confused the worm and prevented it from working. - Sometimes the exploit requires some kind of user interaction. In that case you can warn the users to not do that. ("Do not open emails with the subject line ILOVEYOU")
- Sometimes the attack is easy to identify on the network, so you can block it with some more or less complicated firewall rule. The Conficker virus, for example, was targeting a vulnerability in the Windows Remote Procedure Call service. There was usually no reason for this feature to be accessible from outside the local network at all, so it was possible to protect a whole network by simply blocking outside requests to port 445 TCP.
But that's not always the case.
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats?
It happens quite frequently that developers / whitehats discover a possible security vulnerability in their software and patch it before it gets exploited. The first step of responsible disclosure is to inform the developers so they can fix the vulnerability before you publish it.
But you usually don't hear about that in the media. When point 59 of the patch notes for SomeTool 1.3.9.53 reads "fixed possible buffer overflow when processing malformed foobar files" that's usually not particularly newsworthy.
answered 1 hour ago
Philipp
43.7k7112138
When a 0day is published, how can a whitehat secure his application/website between the time the 0day is published and the patch is developed?
Sometimes there are workarounds which fix or mitigate the problem.
- Sometimes you can disable some feature or change some setting in the software which causes the exploit to not work anymore. For example, infection with the Morris Worm from 1988 could be prevented by creating a directory
/usr/tmp/sh. This confused the worm and prevented it from working. - Sometimes the exploit requires some kind of user interaction. In that case you can warn the users to not do that. ("Do not open emails with the subject line ILOVEYOU")
- Sometimes the attack is easy to identify on the network, so you can block it with some more or less complicated firewall rule. The Conficker virus, for example, was targeting a vulnerability in the Windows Remote Procedure Call service. There was usually no reason for this feature to be accessible from outside the local network at all, so it was possible to protect a whole network by simply blocking outside requests to port 445 TCP.
But that's not always the case.
Moreover, most of the time, this same 0day is used for months by blackhats, so are the blackhats ahead of whitehats?
It happens quite frequently that developers / whitehats discover a possible security vulnerability in their software and patch it before it gets exploited. The first step of responsible disclosure is to inform the developers so they can fix the vulnerability before you publish it.
But you usually don't hear about that in the media. When point 59 of the patch notes for SomeTool 1.3.9.53 reads "fixed possible buffer overflow when processing malformed foobar files" that's usually not particularly newsworthy.
answered 1 hour ago
Philipp
43.7k7112138
edited 2 mins ago
answered 1 hour ago
Philipp
43.7k7112138
answered 1 hour ago
Philipp
43.7k7112138
answered 1 hour ago
Philipp
43.7k7112138
43.7k7112138
I believe your Morris worm example is a poor one. The Morris worm used several vulnerabilities for jumping between and infecting systems, of which the fingerd flaw was one. (There was also at least sendmail's debug mode, and common user account passwords.) If I recall correctly, the real trick to defuse that one was tomkdir /tmp/sh.
– a CVn
36 mins ago
@aCVn Fixed. Thank you.
– Philipp
2 mins ago
add a comment |
I believe your Morris worm example is a poor one. The Morris worm used several vulnerabilities for jumping between and infecting systems, of which the fingerd flaw was one. (There was also at least sendmail's debug mode, and common user account passwords.) If I recall correctly, the real trick to defuse that one was tomkdir /tmp/sh.
– a CVn
36 mins ago
@aCVn Fixed. Thank you.
– Philipp
2 mins ago
I believe your Morris worm example is a poor one. The Morris worm used several vulnerabilities for jumping between and infecting systems, of which the fingerd flaw was one. (There was also at least sendmail's debug mode, and common user account passwords.) If I recall correctly, the real trick to defuse that one was to
mkdir /tmp/sh.– a CVn
36 mins ago
I believe your Morris worm example is a poor one. The Morris worm used several vulnerabilities for jumping between and infecting systems, of which the fingerd flaw was one. (There was also at least sendmail's debug mode, and common user account passwords.) If I recall correctly, the real trick to defuse that one was to
mkdir /tmp/sh.– a CVn
36 mins ago
@aCVn Fixed. Thank you.
– Philipp
2 mins ago
@aCVn Fixed. Thank you.
– Philipp
2 mins ago
add a comment |
K.Fanedoul is a new contributor. Be nice, and check out our Code of Conduct.
K.Fanedoul is a new contributor. Be nice, and check out our Code of Conduct.
K.Fanedoul is a new contributor. Be nice, and check out our Code of Conduct.
K.Fanedoul is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199672%2fhow-can-an-administrator-secure-a-0day-before-patches-are-available%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
As a classification of their activities, yes. WHs locate vulnerabilities and often recommend solutions, but they are not typically the ones expected to deploy the solutions. They are external people given permission to test. A web admin is not classed as a "whitehat".
– schroeder♦
1 hour ago
I understand that they can be external but in this case, who secure the application after the testers did their job ? The admin ?
– K.Fanedoul
1 hour ago
Yes, the admin.
– schroeder♦
1 hour ago
Your latest edit changes the question sufficiently that the existing answer no longer applies.
– forest
1 hour ago
There's always one way to prevent every security issue immediately: Shutting down the system.
– Fabian Röling
1 hour ago