Recently, professional bug spotter Tavis Ormandy of Project Zero, Alphabet’s initiative for finding zero-day vulnerabilities, discovered a critical security flaw in Mozilla’s cross-platform Network Security Services (NSS) cryptography libraries.
Officially known as CVE-2021-43527 and nicknamed BigSig (because Ormandy noted, all bugs require a “catchy name”), the critical memory corruption vulnerability could result in a heap-based buffer overflow that might trigger an application to crash or let attackers execute arbitrary code. This would take place during the verification process of signatures in certain PDF viewers and email clients – such as LibreOffice, Evolution, Thunderbird, and Evince. The vulnerability is reportedly found in every version of NSS dating back to version 3.14, released in October 2012.
While Mozilla sprang into action to fix the bug (which did not affect its popular Firefox web browser), it’s nonetheless a reminder of software’s risks. Even when you’re dealing with a well-regarded and well-known developer such as Mozilla, it highlights the necessity of tools such as Runtime Application Self Protection to keep you properly protected.
The traditional Web Application Firewall
Traditionally, a Web Application Firewall (WAF) was considered adequate to protect against many online attacks, such as those stemming from vulnerabilities. WAFs have been around since the 1990s, when webserver attacks began to become more commonplace as an attack method. A WAF works by filtering, monitoring, and blocking HTTP traffic on its way both to and from a web server. The idea is that, by inspecting this HTTP traffic, it’s possible to stop attacks that seek to exploit web applications’ vulnerabilities – whether that’s a cross-site scripting (XSS) attack, SQL injection, or any other attack of a large number of possible attack methods.
But WAFs aren’t always enough. While they monitor traffic at the network perimeter, providing broad and shallow protection, they may lack the visibility necessary to detect attempted exploitation of a vulnerability like BigSig. Traditional WAFs can fail to spot some of the threats in the cybersecurity landscape, leaving targets open to possible attacks.
Commonly cited weaknesses with WAFs include their tendency to generate both false positives and false negatives, and the fact that they can be bypassed using the right approaches. Perhaps most significantly, they may offer limited protection against zero-day vulnerabilities. A zero-day vulnerability – the type of vulnerability that Alphabet’s Project Zero is tasked with finding – refers to a vulnerability that’s known to attackers, but not to an application vendor.
Enter Runtime Application Self Protection
WAFs most certainly have their place when it comes to defending against cyberattacks. But they are not the only tool you should be considering when protecting against such threats. The latest, most advanced defense that’s available against zero-day attacks is what is known as Runtime Application Self Protection (RASP). RASP agents are designed to sit inside applications, where they can examine request payloads in real-time.
They do this with the context of the application code as it runs, allowing them to work out whether a request is regular or possibly malicious. This includes both non-web and web apps. In doing so, it allows applications to defend themselves, making it an invaluable game-changer for those who need to rely on such tools. Doing so makes it possible to detect and block attempted exploitation of BigSig and similar other vulnerabilities.
In the case of the BigSig vulnerability, Mozilla worked hard to fix the vulnerability when they became aware of it. But waiting on patches for defense is not the most foolproof way of safeguarding your systems. It’s a bit like waiting on someone on your street to have their home burglarized before you decide to start locking your front door and windows at night. By using RASP, security is there by default.
Vulnerabilities aren’t going anywhere
Vulnerabilities are never going to entirely go away. Bugs are part of virtually every sufficiently advanced piece of software. A certain percentage of these bugs will take the form of vulnerabilities when attackers find a way of exploiting them in order to cause damage. BigSig may be one of the latest examples of a vulnerability, but it’s far from the only example to have arisen in 2021 – and, with 2022 here, there will be plenty more where that came from. However, by investing in the right tools, such as RASP, organizations can protect themselves against whatever risks come their way.
For any organization that has experienced a cyberattack based on a vulnerability (or just those that are smart enough to have followed this area, and know the risks), this is an investment well worth making. The cyber security landscape continues to evolve, with more and more vulnerabilities discovered all the time. By seeking out cyber security experts to help safeguard your system, you can ensure you are protected against all manner of vulnerabilities – cryptographic and otherwise. Doing so is some of the smartest money you can spend.