The day-one movement

November 7 seems to be a day of new tactics.


First there’s that curious TROJ_STRAT.FN, which brought to light another STRATION strategy: a Trojan-Trojan-worm teamup. Then, just before next week’s Patch Tuesday, two new zero-day exploits were detected to be spreading in the wild. Now, zero-day exploits are not really uncommon these days (the past couple of months are enough proof of this), so I guess we can term these newly detected malware as… day-oneexploits?


Here’s the gist: Trend Micro has just detected JS_DLOADER.GXZand HTML_AGENT.GKS, which take advantage of the Visual Studio 2005 WMI Object Broker Controland XMLHTTP 4.0 ActiveX Controlvulnerabilities, respectively, to download and execute possibly malicious files into the system (in the case of the malicious JavaScript, it downloads a Trojan named TROJ_VIDLO.AJ). Both these vulnerabilities do not have fix patches yet, so technically, these malware areindeed zero-day exploit detections.


What is interesting, however, is that as early as last week, Microsoft has already released a Security Advisory for the Visual Studio vulnerability (and the XMLHTTP vulnerability advisory was just posted yesterday). They even provided possible workarounds while the patches are yet to be released, so as to minimize whatever damage these security flaws may cause to systems and businesses, among others. This gives users enough time to do something — anything— to avoid possible attacks.


Given these, is it still appropriate to term exploits that take advantage of a determined-yet-unpatched vulnerability as “zero-day”? After all, the phrase “zero-day exploit” has been used loosely during the past couple of months. Mostly it was used to call those that take advantage of an as-yet unknown vulnerability. Or newly-discovered ones, for that matter. And yes, while by definition, these new malware also fit the bill, they do not fit the typical characteristics we have encountered before, do they? The past couple of months have been a exploit-advisory-patch sequence; these are more of a advisory-exploit-patch.


With Microsoft now becoming more proactive and aggressive when it comes to addressing these flaws (unlike the Patch Tuesday-Exploit Wednesday scenariothey were in) — possibly to prove to customers that they are really ready to enter the security market — one cannot really point a finger at them anymore… not unless they want to get a don’t-say-I-didn’t-warn-you shotback. Most of the burden now rest on the users.


Then again, maybe it isjust a new tactic employed by zero-day exploits. After all, releasing exploits after an advisory is still like rubbing salt to an open wound…