An independent group of security researchers has announced that they will be releasing zero-day vulnerabilities, Web application vulnerabilities, and proof-of-concept (POC) exploits for patched vulnerabilities throughout the month of September. Many high-profile vendors such as Adobe, Apple, Microsoft, and Mozilla are among those whose products will apparently have vulnerabilities revealed during the month.
According to Trend Micro researcher Rajiv Motwani, the vulnerabilities that will be announced refer to a collection of old and new ones primarily targeting Microsoft. The new vulnerabilities can be considered zero-day flaws and will leave users vulnerable until a vendor patch is offered and applied. However, this process may take some time. Until then, users should use any suggested workarounds.
It is also believed that detailed information for recently released advisories will be published. It is possible that the information released includes POC code, making exploits more likely. Exploit packs on malicious and compromised websites will probably include these new exploits as well.
Any new information released during this period will likely be quickly exploited, putting more users at risk. High-profile applications like Internet Explorer (one of the programs that the researchers have indicated they will release a vulnerability for) can have exploit code released within hours of the POC code’s announcement. Portions of the many exploits already in the wild can be reused in any new exploit attack, further hastening the process.
Enterprise users should note that server applications will be part of the list of vulnerable applications exposed in September. These applications may take longer to patch. In addition, the potential for damage if one server is affected is greater than if one user system is affected.
Vendors will certainly rush out patches to fix any announced vulnerability but hopefully the accelerated development will not cause complications. There have been cases in the past when vendors released patches that did not fix the vulnerabilities completely, resulting in reissued patches.
For users, protecting themselves will prove difficult. No centralized update notification mechanism exists for third-party software, which means that ordinary users may not be aware that certain applications need to be updated. Many applications now integrate some form of auto-update feature but this will still impose unnecessary burden on users who just want their systems to work.
Users should be on guard for any popular application that has vulnerabilities, as exploits for these are likely to spread even faster than usual. Applying patches and/or workarounds for identified vulnerable software is highly recommended.
While patching systems remains essential, Trend Micro also offers several free tools that can help prevent computer compromise, you may download them here.