300-Day Attacks

[Symantec]

300-Day Attacks
<p>Some file formats are more vulnerable to exploits than others. Document and spreadsheet programs, for example, are often exploited, possibly as much because of their prevalence on desktops as from any other reason. That said, updating them is often easier precisely because of their widespread use, since updates are often automatic or are otherwise easily obtained. </p>

<p>Less pervasive programs, though, are often harder to keep current. A prime example of this is the archive format, with extensions such as .zip, .rar, etc. There are a wide number of different programs available for different platforms; more importantly, they have historically been quite vulnerable to exploits. </p>

<p>When security vendors discuss a newly-identified vulnerability in a program, there is always the hope that users have the latest version or that they will quickly upgrade. As we all know, though, the reality is quite different. Even at the enterprise level, employees of any given company are often using different versions of any given program. Moreover, in this scenario, while many exploits target newly identified vulnerabilities, many still go after older openings. </p>

<p>For example, there is a RAR file that exploits an undocumented old vulnerability existing in WinRAR 3.5. The exploit was fixed in newer versions, but the likelihood is that there are still a great number of users still on version 3.5 or earlier. In this case, it is not a zero-day, but a 300-day attack. </p>

<p>The RAR file can only successfully exploit the vulnerability on Windows of a certain language version. Thus, as a security vendor, it is not enough just to test a sample file on English versions of Windows. As these are targeted attacks, the exploit requires a successful combination of a particular language version of an OS and an older version of the target application. </p>

<p>This RAR file contains the same virus as the Word document exploit MS06-062, meaning that there is probably a person or a group that is intentionally trying to exploit a series of old vulnerabilities with the expectation that some users are still using a year-old, unpatched product.</p>

<p>All this goes to show the importance of updating your programs whenever possible and, more importantly, not slipping into the false comfort of automatic updates. Though many hackers focus on finding exploits in newer programs, there are still vulnerabilities turning up in older versions of many programs. </p>
http://www.symantec.com/enterprise/security_response/weblog/2007/07/300day_attacks.html
http://www.symantec.com/enterprise/security_response/weblog/2007/07/300day_attacks.html
Mon, 30 Jul 2007 05:00:00 -0800