Exploit. It isn’t a word we hear very often in conversation, but it comes up in almost every single conversation I have relating to my work.
Exploits are small programs that take advantage of existing security flaws in systems. They aren’t technically malware, they just open the door to let malware in. Not all exploits are usable though, with every system, the flaws are different so the exploits used have to be tailored for each system.
How does an attacker know which exploit to use?
For the purposes of this blog post, we’ll assume that the target computer is a client to a website. If a client accesses a website that has been compromise or has malvertising (advertisements that deliver malicious content), a process called fingerprinting occurs. Fingerprinting reads the basic data your computer sends to the server, which includes your operating system and version, your web browser and version, and, in some cases, the other programs you have running. Then, that information is quickly analyzed to see if there are any known vulnerabilities that the attacker can exploit. Then, the web server redirects the client to an invisible landing page that hosts a download for an exploit kit and its payloads (malware). Those payloads are then downloaded to the client, the exploit kits open the door to install and execute the malicious code to compromise the client’s system.
Types of exploits
There are two, known and unknown.
Known exploits have been found and documented, and usually patched to fix it. The problem here is that most users don’t update their systems to ensure they are on the latest versions of all of their applications. Its inconvenient, time consuming, and sometimes changes the way their software works. In the few short months I’ve been working as a security engineer, its more common than not for companies to stay on old, even deprecated, versions of software since its the way that their business works.
Unknown exploits are even more dangerous. They’re often called “Zero Days” because they existed at the time of release, and since they’re unknown, even users on the most updated patches can be compromised. These vulnerabilities haven’t been disclosed to the companies or reported on CVE. Sometimes there are months in between a cybercriminal finding a vulnerability and using it before it is even discovered.
What kinds of software is vulnerable?
Everything. All software is potentially vulnerable. A dedicated attacker could spend weeks, if not months, searching for vulnerabilities in programs and operating systems.
How do we fight it?
- Keep your software updated. Security researchers are constantly trying to beat criminals to finding vulnerabilities and fixing them before they can be exploited. Those fixes are delivered as patches to programs and operating systems. Microsoft releases their patches on the second Tuesday of every month, known by IT professionals as Patch Tuesday. Most other companies also follow a set schedule for patches, but in the case of serious vulnerabilities, patches can be published immediately.
- Invest in an antivirus. There are plenty of cybersecurity products that stop attacks at various stages in the process of compromising a computer, even if you don’t have the latest software updates.