Z1.1 Description

While the risks of zero day vulnerabilities in popular applications and subsequent exploitation have been discussed for several years, zero day attacks saw a significant upward trend in 2006. A zero day vulnerability occurs when a flaw in software code has been discovered and exploits of the flaw appear before a fix or patch is available. If a working exploit of the vulnerability is released into the wild, users of the affected software are exposed to attacks until a software patch is available or some form of mitigation is taken by the user. Mitigation and protection steps are explained later in this section.

Z1.2. Affected OSs

All operating systems and all software applications are vulnerable to zero day vulnerability discovery and exploitation. While the target of most of the attacks this year were Microsoft products, Apple suffered from several zero day exploits as well. Other than Apple's OS X, no zero day attacks were reported for Linux, BSD, or other Unix-based operating systems.

Z1.3. CVE Entries

This past year several vulnerabilities had public exploits available before the official patch or remedy was issued. Some example CVE entries that reflect this trend are:

• Windows Graphical Device Interface Library (.wmf) CVE-2005-4560


• Microsoft Internet Explorer CVE-2006-1245


• Microsoft Internet Explorer CVE-2006-1359


• Microsoft Internet Explorer CVE-2006-1388


• Microsoft Internet Explorer CVE-2006-3280


• Microsoft Internet Explorer CVE-2006-3281


• Microsoft Internet Explorer CVE-2006-4777


• Apple OS X CVE-2006-1982


• Apple OS X CVE-2006-1983


• Apple Safari CVE-2006-1986


• Apple Safari CVE-2006-1987


• Microsoft Word CVE-2006-2492


• Microsoft Excel CVE-2006-3086


• Microsoft PowerPoint CVE-2006-3590


• Microsoft PowerPoint CVE-2006-4694


• Microsoft PowerPoint CVE-2006-5296


• Microsoft Windows Help File Viewer CVE-2006-4138


• Microsoft Internet Explorer and Outlook CVE-2006-4868


• Microsoft Visual Studio CVE-2006-4704


• Microsoft XML HTTP ActiveX CVE-2006-5745

Z1.4. How to Protect against the vulnerabilities

Protecting against zero day vulnerability exploitation is a matter of great concern for most system administrators. To reduce the impact of a zero day attack, follow best business practices such as:

• Adopt a deny-all stance on firewalls and perimeter devices that protect internal networks



• Separate public-facing servers from internal systems



• Turn off unneeded services and remove user applications that do not support operational needs



• Follow the Principle of Least Privilege in setting user access controls, permissions, and rights



• Restrict or limit the use of active code such as Java script or ActiveX in browsers



• Educate users about opening unsolicited file attachments



• Disable the ability to follow links in email



• Disable the ability to automatically download images from the web in email



• Maintain an aggressive in-house security alerting and warning service (or outsource the capability) to become aware of zero-day exploits as they become public.



• Use end-point management solutions to rapidly issue patches or workarounds as they become available



• If you use Microsoft's Active Directory, take maximum advantage of Group Policy Objects to control user access



• Do not rely on antivirus protection alone since zero-day attacks are often not detectable until new signatures are released



• Use third-party buffer overflow protection where possible on all systems



• Follow vendor recommendations on workarounds and mitigations until a patch is available