How companies hide their exploits around others. I.E. MSFT had two 9.6 exploits they patched during the Log4J fiasco
Posted 14 Mar at 9:58 pm in Productivity
[6 min read]
What are zero-day exploits and the CVSS scale?
Throughout 2021 the cybersecurity industry encountered hundreds of zero-day exploits. These vulnerabilities vary from minor inconveniences to threats that can cripple an entire organization.
Zero-day exploits are vulnerabilities in an organization’s hardware, software, cloud infrastructure, or code that allow hackers and malicious users to potentially pose a significant threat to an organization’s and their user’s information.
The Common Vulnerability Scoring System (CVSS) is a scoring scale that ranks cybersecurity vulnerabilities by numerous factors to determine overall severity.
The CVSS Score Scale:
0.0 – No severity
0.1 – 3.9 – Low Severity
4.0 – 6.9 – Medium Severity
7.0 – 8.9 – High Severity
9.0 – 10.0 – Critical Severity
Typically, the highest CVSS score a vulnerability can score is 9.6-9.8, but on a rare occasion, a critically severe zero-day exploit will rank 10.0. The most notable example of a CVSS 10.0 is the infamous Log4J.
When companies encounter critically-severe vulnerabilities, they may disclose the vulnerability to the public, their software or cybersecurity vendors, or a third party. This is increasingly popular in the world of business IT support and managed cloud security services.
We recommend reading our other article, “What the 10.0 Means on a CVSS Score and Why The Log4J was such a big deal,” for more information about Log4J and zero-day exploits.
How companies can hide their zero-day exploits
Companies may or may not publically communicate zero-day exploits and therefore may sell the exclusive rights to the exploit’s knowledge as well. Most of the time, especially in the software scene, companies will contract ethical hackers or white hats to analyze, mitigate, and patch exploits privately.
When organizations discover high CVSS scoring zero-days, they may opt to keep the information about the vulnerability in-house for several reasons. Firstly, if the code, software, or hardware involved is patented, secret, or sensitive, companies will not share the data to prevent competing organizations from acquiring trade secrets.
Another reason companies opt to withhold zero-days from the public is to prevent hackers from capitalizing on these vulnerabilities. Organizations don’t want to advertise that they discovered a vulnerability, which may prompt an immediate attack.
Companies managed cybersecurity providers and even independent third parties exposing their vulnerabilities may invite hackers to act on malicious code implanted within an organization or encourage new attacks. This threat alone is incredibly dangerous for many businesses on high CVSS-scored vulnerabilities.
Companies outsource cybersecurity, software development, or administration to professional IT managed service providers so they may discover the vulnerability before the primary organization. The third-party may keep the patch in-house to analyze and patch the vulnerability in one place. This tactic is common with cloud-based managed service providers and healthcare-tied cybersecurity industries.
Microsoft hiding zero-day exploits with a CVSS score of 9.6 from the public
Log4J started in Minecraft, where malicious users discovered that they could run code remotely through the game’s chat function. Minecraft is built on java, one of the most ubiquitous programming languages on the internet.
Java’s prevalence exposed technological giants like Apple, Cisco, Tesla, and Twitter to adapting and increasingly dangerous risks every week. The Log4J vulnerabilities lasted months, and even today, some organizations still haven’t recovered.
In late 2021, Microsoft published information about a zero-day exploit patch that had been active for months. Even though Microsoft had known about the exploit long before the public, they didn’t disclose any vulnerability specifics other than generally warning Microsoft office users of the situation.
McAfee was the only other organization privy to the situation, which notified Microsoft of the compromised application. This zero-day allowed attackers to implant trojans into Microsoft Word documents remotely, and they would automatically trigger once documents were open.
This vulnerability, identified as CVE-2021-43905, scored a 9.6 CVSS, and Microsoft thinks it may have affected thousands of users. Microsoft has several more zero-day exploit reports publicly available, some scoring as high as 9.8.
Microsoft’s Log4J Word incident showcases why cybersecurity assessment and monitoring services are invaluable. If McAfee found the exploit any later, millions more users could have been affected.
What if cloud services providers didn’t help with privacy and security concerns? Leaving primary organizations to conduct cybersecurity best practices may indicate the difficulty of scaling on-site IT services.
If you, your business, or a technology-dependent organization have managed cloud-based advisory, strategy, testing, collaboration, or computing services, we highly encourage regular consultations and security analyses. In areas like Philadelphia, cloud services are critical, and investing in some of the best cyber security consulting firms may save your organization countless dollars in damages later on.