InfoSec 2003: 'Zero-day' attacks seen as growing threat

Computerworld - NEW YORK -- "Zero-day" attacks that take advantage of software vulnerabilities for which there are no available fixes are emerging as a major threat to corporate security.
More than ever, the threat underscores the need for companies to have safe configuration policies for software and systems, as well as good incident-response and patching capabilities, said users at the InfoSec 2003 trade show here last week.
"I'm very concerned about it," said Joseph Inhoff, LAN administrator at Lutron Electronics Co., a manufacturer of lighting equipment in Coopersburg, Pa.
Because such attacks take advantage of flaws before software makers can fix them, the potential for damage from so-called zero-day exploits is something Lutron's management is especially worried about, Inhoff said. "I'm trying to figure out what I can do about it," said Inhoff, who was at the show to see how automated patching software could help bolster the company's response capabilities to such attacks.
Although they have been seen as a major security threat for some time, there haven't yet been any major zero-day attacks.
But users won't have to wait for long, warned Mary Ann Davidson, chief security officer at Oracle Corp. and a member of a panel discussing the topic at this week's event.
For one thing, malicious hackers are getting better and faster at exploiting flaws, Davidson said. Last summer's Blaster worm, one of the most virulent and widespread ever, hit the Internet barely a month after Microsoft Corp. released a patch for the software flaw it exploited. A variant called Nachi, carrying a dangerous payload, hit users less than a week later. In contrast, January's SQL Slammer worm took eight months to appear after the vulnerability it targeted was first disclosed.
"You can see that the timelines are collapsing," said Davidson. That trend suggests it's only a matter of time before users see attacks against flaws not yet disclosed or for which no patches are available, she said.
The number of new vulnerabilities and exploits surfacing on security newsgroups is another indication that such attacks aren't far off, said Todd Kunkel, network systems security administrator at Adelphi University, a Garden City, N.Y-based school with more than 7,500 students.
Kunkel monitors such groups on a daily basis to try to keep abreast of new flaws and see if work-arounds are possible before any exploit code becomes available. "I try to find out if there is anything that I need to worry about and see how I can go about fixing it," he said.
The relatively glacial pace at which some