The ABC of Cybersecurity: E is for Exploit

How many times have you ignored security warnings from Adobe or Microsoft because you simply didn’t have the time or patience for a software update? Each time you postpone the update and think your system is not important enough to get hijacked, you expose yourself to a bunch of malware attacks; some more sophisticated than others.

When you use an outdated browser or plugin, you may automatically allow a hacker to exploit that vulnerability which grants them full access to your entire data and programs. An exploit attack is no joke and can have serious impact.

What is a vulnerability exploit?

In a perfect world, applications would work flawlessly: no sudden crashes in the middle of your work, and no flaws in the way they have been designed. However, in real life, the complexity of software often leaves hackers room to scout for flaws and turn them against the user. They take months or even years investigate the inner workings of highly popular software applications and to find ways to force them into behaving unexpectedly. When it is first discovered, such a vulnerability is called a zero-day exploit – an exploit that has not been seen before and for which the software vendor does not have a patch readily available.

The time frame between the first use of the exploit and the release of a patch to fix it is called the “vulnerability window” – and represents the period in which the user can be attacked without being able to fix the exploited flaw. On underground forums, zero-day exploits sell for anywhere between US $10,000 and $500,000, depending on the affected platform and its popularity on the market.

When a hacker “exploits” a device it means that such a bug or software weakness has been weaponized (i.e. paired with malware) and it is actively pushed to the user via web pages or removable media.

Operating systems are not the only victims, this type of attacks target any software, hardware and electronic devices that can download files from the internet. Some of the most common targets are Microsoft Office, web browsers such as Internet Explorer, media players, web browser plugins such as Adobe Flash Player, Adobe Reader, and unpatched versions of Oracle Java.

There can be two types of exploits – local and remote. Local exploits are more sophisticated because they involve prior access into the system, while remote exploits manipulate the device without requesting prior system access.

How hackers access your system

To be able to detect the vulnerability and exploit it, first hackers have to get into your device. For that they use the easiest tool: social engineering. They will manipulate you into opening a suspicious email or attachment that loads specially-crafted content into the vulnerable plugin. Once it is rendered, the content often causes the application to crash and silently install a malicious payload without the user’s intervention.

Often, exploits are bundled into an exploit pack – a web application that probes the operating system, browser and browser plugins, looks for vulnerable applications and then pushes the app-specific content to the user.

It’s not difficult for a criminal to detect the problems in your system. These protocol cracks are not immediately identified by vendors or security researchers so by the time a patch is released, hackers may have already launched a zero-day exploit attack. Zero-day attacks are difficult to tackle and have increased in frequency because hackers are more experienced and act way faster than in the past.

Put an end to exploit attacks

The exploits we’re dealing with today are more aggressive and spread throughout the system in a matter of minutes, compared to those in the early 90s, which were slower and passive because of the lack of internet connectivity. Now exploit kits are widely available for purchase on the dark web, as well as other malware, turning any script kiddie into a genuine schemer.

The problem with exploits is that they are part of a more complex hack which makes them a pain in the neck. They never come alone and always infect your device with some form of malicious code.

Although security specialists and vendors work together to detect vulnerabilities as soon as possible to release patches to fix them, they can’t protect you against zero-day exploits. Worse, they can’t protect you against your own negligence. You can take matters into your own hands and always back up your data, avoid weak passwords and constantly update all software. Never run vulnerable versions of the plugins, browsers or media players. Remember that any minute you “waste” updating your operating system will save you hours of computer maintenance when disaster strikes.

Because exploits can spread through emails and compromised web pages, stay alert and be careful what you click on. Your computer’s firewall and security software solution should be a good start for first-layer protection, but remember that there is still a high risk of zero-day exploits.

Leave a Reply