"Zero-day" attacks and using limited privilege

There have been a couple of credible sounding stories in the press in the past week or two about zero-day attacks - that is, the malicious exploitation of previously unknown vulnerabilities. I think we're going to start seeing more of these, as the bad guys better understand the economic value of finding and exploiting vulnerabilities. 

Hackers used to be satisfied just vandalizing web sites. The next cool game was to find a bug and be the first to publicize it - and yourself for finding it. Many of these “analysts” now play the game more responsibly, alerting the vendor first and not publicizing the vulnerability until the vendor releases a patch. And of course there are the malware writers, releasing often poorly-written worms, trojans, etc. such as Sasser into the wild and getting big headlines. The damage many of these have done, though, has often been limited to consumption of network bandwidth and the time of IT administrators. Very few of these have exploited vulns for which there was no fix available.

In the past year or so, we've started seeing the increasing spread of malware with an economic purpose. In particular I'm thinking of the ones that allow users' computers to be controlled by spammers. Many Internet domains and IP address ranges have become known for hosting spammers and end up on spam filter blacklists. By turning your computer into a zombie and having their bulk mail originate from your DSL line, spammers bypass these filters. Why do they go to all this trouble, and even break the law? Because they make a lot of money doing it! Spam still generates big revenue. We've also seen increases in phishing and spyware - ways to get your private information for someone else's illegal gain.

I think we can expect to see more cases where people who find new security vulnerabilities will not alert the vendor or otherwise publicize their findings, but instead use the information for financial gain, by installing spyware and spam engines on victims' computers -- particularly when the “researchers“ and/or the people they do business with live in places like Russia where the legal risks are relatively small.

So what does this have to do with running as a Limited User? Will running as a Limited User rather than an Administrator keep you safe against these zero-day attacks? Well, it depends on the attack. If the exploit attacks an operating system service, as Sasser and Blaster do, then it doesn't even matter whether anyone is logged on, let alone whether they are an admin. (Use a firewall.) But if the vulnerability is exploited through your web browser, email, IM, internet-connected game, etc., then the malicious code can do anything you can do. See the “#1 reason” paragraph of Why you shouldn't run as admin for why this matters so much. Running as Limited User might block the attack completely, and in any case it will certainly limit what the attack can accomplish.

Running as Limited User does not by itself make you secure, but it is an important piece of defense in depth. It is vitally important to use a firewall and to keep up-to-date on patches and anti-virus signatures. These will block many of the bad things out there from affecting you. But there are exploits that will bypass all of these. In these cases, running as Limited User may be the only line of defense you'll have left.