Researchers from Google’s Project Zero examined 18 zero-day vulnerabilities exploited by hackers this year before a patch was available; they found that half those vulnerabilities could have been avoided if software vendors had been more diligent in developing and testing patches.
The study included zero-day vulnerabilities in software such as Microsoft Windows, Apple iOS and WebKit, Google Chromium and Pixel and Atlassian’s Confluence Server.
“At least half of the [zero]-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests,” Maddie Stone of Google Project Zero wrote in a blog post. “On top of that, four of the 2022 [zero]-days are variants of 2021 in-the-wild [zero]-days. Just 12 months from the original in-the-wild [zero]-day being patched, attackers came back with a variant of the original bug.”
As dire as that sounds, however, Google Project Zero was limited to zero-day vulnerabilities found in major software vendors—so the evaluation does not refer to all zero-day vulnerabilities from 2022.
Older Bugs, New Exploits
Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, said the fact that half of those vulnerabilities exist because previous bugs were not properly addressed makes sense; it corresponds to the vast number of anecdotal reports about how understaffed and overworked security teams are.
“If there is a constant triage situation, organizations will look for ways to mitigate vulnerabilities rather than fix them through patching,” he said. “Mitigation is being overused as a strategy by organizations—finding a better balance between mitigation and remediation would reduce the risk of older bugs being used in current exploits.”
He added that this statistic also reflected the shift of vulnerabilities from data centers (and corporate computing run by IT) to OT/IoT devices managed by lines-of-business.
“The line-of-business organizations often lack both the training and the solutions to maintain IoT devices on the latest and most secure firmware versions,” Broomhead said.
Tim McGuffin, director of adversarial engineering at LARES Consulting, an information security consulting firm, noted a lot of the time when a new vulnerability is identified in a function, it draws a lot of attention from other security researchers who will then find other vulnerabilities in either the same or related functions.
“Once so many eyes understand the function and flow of the program, it’s easier to identify bypasses in patched code,” he said. “‘Diffing’ the vulnerable file and patched file allow for rapid identification of what changed between versions, pointing researchers directly at what needs to be bypassed.”
Zero-Days and the State of Cybersecurity
As far as the state of cybersecurity, McGuffin said modern networks and operating systems are majorly complex systems of interconnected components.
“Every line of code added allows for new vulnerabilities to sneak in, and we’re adding hundreds of thousands to millions of lines a year,” he explained. “Vulnerabilities can exist in individual components and connections between components, providing a huge attack surface for anyone willing to take the time to look.”
He noted that over the last 25+ years the industry has done a good job at moving attackers higher up the stack and made entire classes of vulnerabilities harder to exploit. However, making those changes takes a lot of time and involves a lot of testing for backward compatibility; meanwhile, new classes of vulnerabilities are identified all the time.
From his perspective, patching is the bare minimum an organization should do to mitigate modern vulnerabilities.
“OS and application patching should be an automated process after appropriate testing based on the organization’s risk tolerance and requirements are defined,” McGuffin said. “Many systems can be built in a fault-tolerant and highly available fashion to allow for patching without service disruption, but some systems just can’t be architected that way yet.”
He added that while patching provides mitigation against known vulnerabilities, organizations have to be aware of unknown or unpatched vulnerabilities as well.
Broomhead said a comprehensive approach to patching requires starting with an accurate and detailed asset inventory.
This is especially important for OT/IoT devices that are managed outside of IT and may not be visible and assessed for cybersecurity vulnerabilities.
“Organizations also need to define appropriate strategies for patching based on the device type,” he added. “For traditional compute devices, agent-based automated patching mechanisms should be used.”
For OT/IoT devices, an agentless automated firmware update mechanism should be used and, in both cases, the patching solution must also support an audit trail for risk and compliance reporting.
“The patching process also needs to ensure that the overall workflow—not just the newly patched device—is working properly,” he said. “Tightly coupled IoT devices and applications, for example, require a patching mechanism that can ensure that the applications will continue to work with the updated device.”
McGuffin explained that the most important thing an organization can do is proper asset management.
“Identify what systems you have, where your sensitive data lies, where your business processes happen and what systems are required to pull that off,” he said. “Third-party asset inventory tools can be useful to identify gaps in coverage or where agents may not be properly deployed.”
He added that missing agents can provide lapses in visibility and attackers will find those blank spaces and live in them—external and internal vulnerability scanning and configuration management tools can help identify systems and make note of patch levels as well as a large percentage of known vulnerabilities.
Broomhead added that within an organization, bringing together all the stakeholders (CISO, CIO, lines of business leaders) to coordinate actions and share information is imperative.
He pointed out several organizations have or are in process on forming an ‘IoT Committee’, a ‘Fusion Center’, a ‘Security Committee’ or something similar that acts to address the organization’s overall cybersecurity risk and breaks down internal silos and differences in how cybersecurity is implemented.
“Breaking down silos is critical—threat actors don’t view an organization based on silos, they are looking for the weakest part to exploit,” he said.