Why is Java so vulnerable to attacks

What is a zero-day exploit and how can you protect yourself?

The trade press is constantly writing about new and dangerous zero-day exploits. But what exactly is a zero-day exploit, what makes it so dangerous and, most importantly, how can you protect yourself?

Zero-day attacks happen when the bad guys come before the good guys who attacked us with vulnerabilities we didn't even know existed. They are what happens when we haven't had time to prepare our defenses.

Software is vulnerable

Software is not perfect. The browser you're reading this in - whether it's Chrome, Firefox, Internet Explorer, or anything else - is guaranteed to have errors. Such complex software is written by people and has problems that we are not yet familiar with. Many of these errors aren't very dangerous - they could potentially cause a website to malfunction or your browser to crash. However, some bugs are security flaws. An attacker who knows the bug could create an exploit that uses the bug in the software to gain access to your system.

Of course, some software is more vulnerable than others. For example, Java has an infinite number of vulnerabilities that allow websites using the Java plug-in to leave the Java sandbox and gain full access to your computer. Exploits that put Google Chrome's sandboxing technology at risk were far less common, even though Chrome itself had run out of days.

Responsible disclosure

Sometimes a security hole is discovered by the good guys. Either the developer discovered the vulnerability themselves, or "white hat" hackers discovered the vulnerability and responsibly disclosed it, for example through Pwn2Own or Google's Chrome bug bounty program. The developer fixes the bug and publishes a patch for it.

Malicious individuals may later attempt to exploit the vulnerability after it has been discovered and fixed, but they have had time to prepare for it.

Some people don't patch their software in a timely fashion so these attacks can still be dangerous. However, if an attack targets software with a known vulnerability that is already patched, it is not a zero-day attack.

Zero Day Attacks

Sometimes a security flaw is discovered by the bad guys. The people who discover the vulnerability may be selling it to other people and organizations looking for exploits (this is big business - it's no longer just teenagers in basements trying to deal with you, it is Organized Crime in Action), or use it yourself. The vulnerability may already be known to the developer, but it may not have been resolved in a timely manner.

In this case, neither the developer nor any person using the software will receive an advance warning that their software is vulnerable. People only learn that the software is vulnerable when it is already under attack. Often times the attack will be investigated and found out what flaw it is exploiting.

This is a zero-day attack - that is to say, the developers haven't had time to look into the problem before it's already being exploited in nature. However, the bad guys knew long enough to invent and attack an exploit. The software remains vulnerable to attack until a patch is released and applied by users. This can take several days.

How to protect yourself

Zero days are scary because we have no notice about them. We cannot prevent zero-day attacks by keeping our software up-to-date. By definition, no patches are available for a zero-day attack.

So what can we do to protect against zero-day exploits?

  • Avoid vulnerable software: We don't know for sure if there will be another zero-day vulnerability in Java in the future, but due to the long history of zero-day attacks, we anticipate a possible vulnerability in Java. (In fact, Java is currently vulnerable to several zero-day attacks that have not yet been patched.) Uninstall Java (or disable the plug-in if Java needs to be installed) and you will be less exposed to zero-day attacks . Adobe PDF Reader and Adobe Flash Player have also had a number of zero-day attacks in the past, although they have been improved recently.
  • Reduce your attack surface: The less software you are vulnerable to Zero-Day attacks, the better. For this reason, it is advisable to uninstall unused browser plug-ins and to avoid exposing unnecessary server software directly to the Internet. Even if the server software is fully patched, a zero-day attack can eventually occur.
  • Run an antivirus program: Virus protection can help against zero-day attacks. In an attack that attempts to install malware on your computer, the malware installation may be thwarted by the anti-virus program. An antivirus' heuristic (which detects suspicious-looking activity) can also block a zero-day attack. Antivirus programs can then be updated to protect against zero-day attacks as soon as a patch is available for the vulnerable software itself. For this reason, no matter how careful you are, it is best to use an antivirus program on Windows.
  • Keep your software up to date: Keeping your software up to date will not protect you against zero days, but it will ensure that you have the update as soon as possible after its release. Because of this, it's also important to reduce the attack surface and remove potentially compromised software that you are not using. There is less software to install to ensure the update.

We explained what a zero-day exploit is, but what is a persistent and unpatched vulnerability? Check out our Geek Trivia section to see if you can find out the answer!