3

In the wake of the Hacking Team breach on July 6th, 2015 [1] [2] I heard that some previously unknown zero-day exploits might surface (apparently one for Flash already has).

Once these exploits become public knowledge and before a patch that fixes the vulnerability is provided, how can I defend my system as a private user?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Federico
  • 159
  • 8

2 Answers2

4

The answer is to take responsibility for your own security.

If you rely only on software vendors for your security your trust is arguably misplaced and you might be disappointed quite often.

You are in control of your system as an individual and it is therefore your responsibility to take the necessary measures to protect what is important to you. Most software vendors care very little for you cat picture collection.

It all comes down to knowing what is on your system, how you use it, how important it is to you and how you can minimize exposure. The reputation of a software vendor is a great guide to knowing how much trust you should place in a piece of their software.

Based on your personal risk assessment you can employ basic secure "best practices" like disabling Flash in your browser by default and only enabling it when absolutely necessary, or better yet, removing it completely. If possible, you can also stop using the software completely as another answer suggested. If you want to take it one step further you can also have a default deny policy for javascript in your browser to prevent unwanted malicious script for running (I do this - it's a lot of effort but I sleep better at night). Don't click on email links. Review which ports you have exposed to the internet. Trust with reluctance ... and so on and so forth.

Having said this, you should know that even if you do all of these things you can only ever make an effort to minimize exposure and will never be immune to 0-day as even the most trustworthy software can be vulnerable in some way, and when this day comes it is your queue to reevaluate your risk and adjust your behavior and mitigation accordingly.

Remember: "The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one" - Dennis Huges, FBI.

Edit: I forgot to mention a very important and relevant concept that ties in with some of the points made before. In order to mitigate the potential effects of a 0-day vulnerability in any particular piece of software you can make sure that in your environment you adhere to the the principle of least privilege. By constraining the privileges of the software you inherently limit the privileges of the the exploit*.

*Assuming the exploit does not make use of a privilege escalation vulnerability.

ilikebeets
  • 2,646
  • 15
  • 21
  • 3
    +1 I feel like [Law #1 of Security](https://technet.microsoft.com/en-us/library/hh278941.aspx) applies here: "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." -- we're all guilty of running software that we haven't personally reviewed the source code for. The first steps to evaluating the risks of using a computer is understanding that A) any software you didn't write is potentially malicious, and B) even software you did write can have 0-days in it. – Mike Ounsworth Jul 07 '15 at 15:03
2

The most reliable way is to stop using the product or service that has the vulnerability until it is patched. Obviously this is often very inconvenient. You must make a risk assessment of your own situation to decide if it is worth it.

Graham Hill
  • 15,394
  • 37
  • 62
  • Adding a comment since this is not part of your question, but note that it may not be enough just to defend your system. A zero day may be used against some system you don't control and cause harm to you. – Graham Hill Jul 07 '15 at 14:13