The idea of software without any bugs of flaws is a myth. Regardless of what bug-testing methodology or process is followed by the coder, no piece of software is perfect. Time constraints on publishing it or simply human error can conspire to ensure that no matter how established the company behind the software, there are going to be flaws with it. These may range from minor issues to major zero day vulnerabilities.
In an age of over-the-air updates, developers will often seek to get software to the point at which it’s “good enough” to be released, and then create updates to patch over problems when and where they’re discovered. The bigger and more complicated a piece of software, the more flaws will likely exist.
In some cases, bugs may simply be about the quality of the user experience. A flaw that mildly inconveniences the user by resulting in software that doesn’t work the way it should is annoying. But the really dangerous bugs are the ones that become security vulnerabilities. These are weaknesses that can be exploited by a malicious actor, such as a hacker, to make a particular piece of software behave in ways that it is not supposed to. That usually means allowing a hacker to carry out unauthorized actions within a system.
New vulnerabilities are constantly discovered
New vulnerabilities are discovered every day as people around the world use pieces of software. Sometimes bugs will be discovered by accident. However, there is also no shortage of malicious cyber criminals actively on the lookout for software vulnerabilities that could allow them to attack individuals or organizations.
Fortunately, not all hackers are bad. There are those who seek to cause harm, but there are also those “good guys” in the form of cybersecurity women and men who look for vulnerabilities in software before it can be exploited by bad actors.
Increasingly, companies offer “bug bounties” whereby they will financially reward those who discover exploits or vulnerabilities so that they can be fixed, and updated versions of the software pushed out to users in order that they are protected.
Zero day exploits and chained vulnerabilities
The big problem comes from zero day exploits. A zero day exploit refers to a software vulnerability that’s not known to either the software vendor or to the antivirus vendors who seek to safeguard users. When a zero day vulnerability is found, some hackers will quickly develop an exploit that allows them to take advantage of the weakness before anyone else knows about it and are able to plug the hole.
Sometimes hackers might chain together vulnerabilities in what is known as vulnerability chaining or bug chaining. Chaining together vulnerabilities makes them more than the sum of their parts. For example, in November 2020 attackers chained together two zero day vulnerabilities found in Google Chrome and Microsoft Windows were and exploited them in targeted attacks on users.
The Google Chrome vulnerability, a.k.a. CVE-2020-15999, allowed hackers to access a target system. The Microsoft Windows vulnerability, a.k.a. CVE-2020-17087, meanwhile allowed an attacker to then gain administrator access to this system by using the vulnerability for what is called “privilege escalation.” Luckily, in this case the two vulnerabilities were not used for widespread attacks, allowing the developers to issue patches to remedy the situation.
Be aware of the risks
Protecting against vulnerabilities is something anyone who relies on a computer system (which is virtually everyone) should be cognizant of. The clearest way of protecting against vulnerabilities is to ensure that your software, whether it’s an operating system or individual programs on a computer or other device, are kept up to date.
Most developers are good at issuing updates whenever a problem is discovered that could harm their users. However, users are only protected so long as they have downloaded and installed the patch in question.
This will not protect against zero day attacks, though — since this refers to attacks which take advantage of vulnerabilities that are not already known. To make sure that you are properly protected against such instances, it’s worth bringing in the cybersecurity experts. Tools like Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP) are some of the most effective ways of stopping zero day attacks in their tracks.
Protect yourself against bad actors
WAFs are deployed on the network edge and monitor all incoming traffic, filtering out any malicious or suspect inputs that could target vulnerabilities. Meanwhile, RASP is used to protect applications, looking at request payloads to determine if a request is normal or malicious. This, in turns, allows applications to defend themselves.
Zero day attacks will continue to be a threat as long as software has bugs that can be exploited by cybercriminals (which, sadly, is likely to be always.) But following best practices offers robust defense. Whether you’re an individual running a business or a decision-maker at a large organization, employing the right tools to protect you is one of the smartest moves you can make.
loading...
loading...