Clients of major software vendors take comfort whenever a vendor issues a security fix for a critical software vulnerability. They expect that software updates will keep attackers from stealing sensitive information. But new data from Google’s hacking team, Project Zero, suggests that security fixes are not as effective as they seem.
According to Google, “25 percent of the 0-days detected in 2020 were closely related to previously publicly disclosed vulnerabilities. In other words, 1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored.”
A correct patch is one that fixes a bug with complete accuracy, meaning the patch no longer allows any exploitation of the vulnerability. A comprehensive patch applies that fix everywhere it needs to be applied, covering all variants. A patch is considered complete only when it is both correct and comprehensive.
However, most vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all paths. Across the industry, incomplete patches, that don’t correctly and comprehensively fix the root cause of a vulnerability, allow attackers to use 0-days against users with less effort.
Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit. For example, the same actor exploited similar vulnerabilities in Internet Explorer JScript four separate times from 2018 to 2020.
Preventing 0-day Attacks
The goal is to force attackers to start from scratch each time one of their exploits is detected: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface and they must develop a brand new exploitation method. Making it harder to infiltrate the system decreases the likelihood of an attack.
Being able to correctly and comprehensively patch isn’t just flicking a switch: it requires investment, prioritization and planning. Yeo & Yeo Computer Consulting’s YeoCare Managed Services are designed to keep your network healthy and detect failures before they happen. Learn more about how YeoCare can help protect your organization.