Avoiding Zero Day Exploits
Recently, software giants Microsoft and Oracle were hit by zero-day exploits that could affect users of Internet Explorer and Java software. The term 'zero-day exploit' sounds sinister and dramatic, but what does it mean? Find out now, and what you need to do to stay safe... |
What is a Zero-Day Exploit?
Very simply, a zero-day exploit is a security vulnerability discovered in a piece of software on the same day the software developer becomes aware of the vulnerability. In other words, the developer literally has zero days in which to come up with a fix for a potentially serious problem. Typically, when a security researcher discovers a software flaw, they'll notify the software company so that a fix can be released before malicious hackers are able to exploit it. But in the case where Evil Hackers discover the flaw and begin to actively exploit it, you have a zero-day scenario. Let's look at these two recent examples to see why zero-day exploits make headlines.
In Oracle's case, serious security flaws were discovered in the Java software that's installed on tens of millions of computers around the world. It was discovered that simply visiting a compromised website could trigger a virus infection that was capable of seizing control of a user's computer. Oracle released a patch, but it took three days. Almost immediately, two more flaws were found in the patched version. Panic, confusion and hysteria in both the tech press and user community ensued. You can read more about this incident in my article
Is Java Safe and Do I Need It?.
The Java incident happened in January 2013, but just this week a zero-day exploit was discovered that affects all versions of Internet Explorer. Hackers were already exploiting the flaw, which makes it possible for a virus to hijack a user's computer by virtue of visiting a compromised website. Microsoft responded quickly with a temporary patch that can be applied with a Fixit tool, but it only helps those running 32-bit versions of Internet Explorer. However, most newer computers are 64-bit. If you're affected, consider using the Google Chrome or Firefox browser as an alternative, at least until Microsoft provides a fix.
Should I Panic?
A zero-day exploit seldom results in widespread mass infections of computers with malware. Security researchers - sometimes called "white hats" - detect many vulnerabilities before hackers do, and responsible companies patch vulnerabilities quickly. But some zero-day exploits go unpatched much longer, and that can be a problem as more and more malware is released to exploit the vulnerabilities.
Don't panic when you read that a "new zero-day exploit has been detected" in any program you use. Just learn how the exploit works and avoid it. That may mean not using a particular program, not clicking on email attachments; avoiding unknown Web sites and those known to be compromised by the exploit. Be especially wary of email phishing scams, as this is the most common way for cybercrooks to entice people to visit compromised websites.
Check for patches at software developers' Web sites as soon as you learn about zero-day exploits. Not every developer pro-actively distributes patches, so you may have to find, download, and install a patch yourself. Subscribe to automatic installation of at least "critical security updates" for your operating system and application software, if they're available. Use anti-malware software to constantly monitor your computer and its incoming Internet traffic for suspicious activity or software code.
Another good idea is to scan your software for vulnerabilities using the Secunia Personal Software Inspector (PSI). This free program will tell you which programs need updating and provide links to sites where you can download patches.
A zero-day exploit is simply a newly discovered threat, a possible avenue of attack. It is not an actual attack. As the ancient Romans said, "Our fears always outnumber our dangers."
Do you have something to say about zero-day exploits? Post your comment or question below...
This article was posted by Bob Rankin on 20 Sep 2013
For Fun: Buy Bob a Snickers. |
Prev Article: How to Fix Facebook Annoyances |
The Top Twenty |
Next Article: Five Free Malware Removal Tools |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Avoiding Zero Day Exploits (Posted: 20 Sep 2013)
Source: https://askbobrankin.com/avoiding_zero_day_exploits.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Avoiding Zero Day Exploits"
Posted by:
Andy
20 Sep 2013
Hi Bob,
Just a quick note to say that the "Fixit Tool" tool link goes to your article on "Is Java Safe and Do I Need It?"
I am trying to find the correct link.
Anyway, my IE doesn't say that it's 64bit even though my laptop is 64bit.
EDITOR'S NOTE: Thanks! I've fixed the link now.
Posted by:
Carole
20 Sep 2013
There are times I wish they would dump both java script and adobe flash, returning to html. I realize there are things you are unable to do without java or flash. Ever since Sun sold Java to Oracle, there is nothing but problems.
This was an article in the Chicago Tribune back in January, 2013 about Java script.
The U.S. Department of Homeland Security reiterated advice for computer users to disable Oracle Corp.'s widely used Java software for surfing the Web, saying it still poses risks to users after the company released an emergency update over the weekend.
"Unless it is absolutely necessary to run Java in Web browsers, disable it," the Department of Homeland Security's Computer Emergency Readiness Team said on Monday in a posting on its website.
Posted by:
RandiO
20 Sep 2013
So, Bob!
Let me get this straight:
If my CreditCard# is stolen while shopping in San Diego California, and an evil script kiddie uses that CC# on the same day in Bangor Maine: Do I get 3 days to notify the CC issuer bank or have I been the victim of a zero-day exploit?
TGIF! :0
Posted by:
Kirill
20 Sep 2013
To Carole: Java and Java Script are completely different things. Unlike Java Script, Java works on zillions embedded systems and that makes any Java vulnerabilitiy so serious. Also Java Script has nothing with Oracle. JS was influenced by Java and they have some similarities in syntax, but nothing else.
Posted by:
Doc
20 Sep 2013
IDEAS FOR SMALL BLURBS: 1) I heard on a BBC tech programme that AdBlocker Plus (?) now has part of their business model being that for $X they will sell you a (and here is where it gets foggy since I was driving and had to pay attention) - code that by-passes their security and allows their blocker to just not go down for them, but also allows them to plant cookies (which can read other cookies) on your comptuer - thus the program sells the key to the lock that keeps the bad guys out. Seems they 'white list' companies who pay them - found a source written earlier than the Sept. news-spot I got from BBC:
http://www.independent.co.uk/life-style/gadgets-and-tech/google-reportedly-paying-adblock-plus-to-greenlight-their-ads-8695598.html
Perpaphs a warning if it's true?
=======================================
2) I just saw the new GUI to SpyBot Seach and Destroy - HOLY COW! NOT the seemingly small unobtrusive program any more - but what looks like a full fledged registry and disk cleaner with their own anti-virus program built in. Didn't see a word about this old program that's so old, I'll bed your bus drove over the dirt made from the original rocks of that program.Is this one of those things where V1 IS better than V2? (though of course updates for V1 would have stopped). . . . thanks, paul
Posted by:
Unitary
20 Sep 2013
Bob,
“A zero-day exploit is simply a newly discovered threat, a possible avenue of attack. It is not an actual attack.”
A security fault that was “newly discovered” by some “good guys” might not be new for some “bad guys”.
Surely, some vulnerabilities were known to and exploited for malicious purposes a long time BEFORE the proverbial zero-days.
Posted by:
Carole
20 Sep 2013
You have 90 days to notify your credit card company that the charge is a fraud. I have had my card number stolen 5 or 6 times. They charges in excess of $30,000. on my account, but it didn't cost me a cent except a little time. Some card companies will allow you to set your account, so if someone charges on it, they will notify you instantly. Each credit card company is different, so you need to give them a call to find what programs they offer.
Posted by:
Butch
20 Sep 2013
After trying to run the MS "Fix It," how do we know if it "took"???? Thanks.
Posted by:
Gina
21 Sep 2013
For those of you using Avast, all versions, it will automatically notify you of software that needs to be updated.
I don't use IE and turned off javascript long ago, but if anyone has the HD space it's best to have a backup to IE.
Posted by:
Jim
21 Sep 2013
To check for needed updates, I prefer File Hippo Update checker over Secunia. Secunia has recently hung up and required reinstalling to work.
Posted by:
Sandy Jankowski
21 Sep 2013
You may want to re-think your recommendation for Secunia Personal Software Inspector. It said I needed to update Microsoft Filemon, which is not on my computer and which Microsoft has not been making available for download since 2006. It also upgraded my iTunes 9 to iTunes 10 (which I did not want done); however iTunes 11 has been released for some time. This is just what I noticed on day 1. I really cannot trust it. I uninstalled it of course.
Posted by:
Therrito
22 Sep 2013
I run Secunia PSI every week and I have never had any issues with unpatched and/or outdated software.
I don't use Internet Exploder (note the spelling lol). Firefox has been my browser of choice for at least 12 years.
And of course, thank you for yet another great article.
Posted by:
Bill
22 Sep 2013
@Bob and Sandy: my Secunia worked just fine this morning. When I booted (about an hour ago) Secunia updated to iTunes 11. Now the tray icon is happily green again.
Posted by:
Judith
24 Sep 2013
Thank you for this information. Again you have added to my understanding. Thank you, Thank you.
Posted by:
Callie Jordan
19 Oct 2013
I love Secunia for taking care of checking all the various programs I didn't even know about, but it requires Java to run its online scan. If you've disabled it at some point because of security concerns, you will have to put it back in order to run Secunia's online scan. Secunia does have a desktop version.