Software vulnerabilities are found in a number of ways. The software vendor themselves may discover them during testing and often companies will even pay users to test for them. For example, companies such as Facebook, Google, Yahoo and DropBox will pay, often $1000’s of dollars to people to deliberately hack their products and find holes in their software. Dropbox has its own hactivity section - an area within the Dropbox site that instructs users on how to check for vulnerabilities in their software and apply for financial reward if they find one, the minimum payment being $216. Facebook has a similar incentive in their Whitehat area. The software engineering institute, CERT, works tirelessly to identify emerging software vulnerabilities and when found, informs the vendor in question, advising and helping in the removal of the vulnerability. One other way that software vulnerabilities can be minimized is through the use of secure coding techniques. This technique was first established by Microsoft in the mid 90s and was initially used to handle a problem called ‘buffer overflow’. Buffer overflow is where a software coder hasn't limited the data input of a section of code – hackers can then exploit this and use it to run their own code, i.e. a piece of malware.
Some Well Known Software Vulnerability Exploits and How They Hurt Us
Heartbleed was a vulnerability within a piece of software called a library. In this case the library, named OpenSSL, was used in a web-based protocol called TSL, which is the basic protocol that allows data to be communicated across the web; so this was big. Many, many companies across the world use OpenSSL, including Yahoo, the Canadian Federal Government, Amazon Web Services and games such as Sony Online Entertainment. The Heartbleed bug caused a massive global problem when it was discovered in April 2014, which was almost 3 years after it had first been written into the software code. Two of the more serious problems this vulnerability caused was to make passwords vulnerable and to allow network traffic to be decrypted. The Community Health Systems (CHS) were affected to the tune of 4.5 million patient records being accessed by hackers.
This vulnerability was found in Microsoft’s SQL Server 2000 and had actually been patched by Microsoft several months before the exploit occurred. However, because of poor patching efforts on behalf of businesses, the malware (in this case a ‘worm’ which is a self replicating program that uses software vulnerabilities to spread) was able to proliferate across the globe. This exploit caused a denial of service and within ten minutes had hit 75,000 victims. The worm made its way into the software using a buffer overflow flaw.
Conficker was a bot which used a software vulnerability to take administrator control of a computer. Bots are nasty; they work in unison to launch attacks and they can collect keystrokes, passwords, financial information and so on. Conficker targeted the Microsoft operating system. It infected millions of individuals, businesses and government organizations in over 200 countries.
Zero Day Vulnerabilities
Much malware is based on the exploitation of software vulnerabilities as discussed already. These vulnerabilities and associated exploits have come to be known as Zero Day Vulnerabilities to describe the arms race that occurs between the software vendor discovering the flaw and the hacker publishing the malware to exploit this flaw. Zero Day is used to describe how the hacker has found the flaw before the software vendor, exploiting it, the software vendor having had zero days to fix the problem. It is then a race against time for the vendor to fix the issue and you, as a business, to patch that software. This is one of the reasons why it is so important to have a prompt action patch management system in place.
Protecting Your Business Against Software Vulnerabilities
Software vulnerabilities are not going away. We have to accept that software products, like many other types of products will be worked upon and improved over time. We also have to accept that hackers will take advantage of the lag time in fixing a software flaw and will even actively look for them before the vendor themselves find them. We have to be proactive in our approach to cyber security. We have to put in place strategies that prevent the loss of our data, the theft of passwords and financial details and the negative effect on our reputation and brand.
WatchPoint Data’s solution to this is the WatchPoint patch management system, which does the hard work for you. We know that smaller companies do not have the bandwidth to handle the onslaught of hack attacks. Our security platform will continuously watch your system for security issues and fix them if found, leaving you to get on with your business and not have to worry about software vulnerabilities, hackers or patching.