The worst nightmare for any security professional is when a zero-day vulnerability is used to attack major institutions like banks. Even worse is when the zero-day is identified, but the maker of the software with the vulnerability apparently does not heed the warnings. Such was the case recently when banks in South Asia, as well as the Middle East and North Africa region, and, most likely, Europe, were hacked via an InPage zero-day.
As reported by Kaspersky Lab's blog Threatpost, a zero-day in InPage publishing software that is used primarily in "Urdu, Pashto and Arabic-speaking nations has been publicly exploited in attacks against financial institutions." The threat had been disclosed in private multiple times to InPage developers, but much to the chagrin of Kaspersky Lab researchers, the company remained unresponsive. It was then that the Kaspersky researchers decided to make the knowledge public that there was a severe breach caused by an unpatched vulnerability.
There are likely multiple reasons that Kaspersky Lab took to their blog to report on the InPage zero-day. One is simply to let users of the software know that there is a significant issue that compromises their security. Another is possibly to make it impossible for InPage developers to ignore the reports that they had been sent. Bad publicity is often a great motivator to fix major issues in any situation, for if nothing else, there will be a large customer base pissed off at your inaction. A third possible reason is to encourage independent researchers to find a solution, should InPage developers continue to ignore calls for patches.
As it stands now, there is really no way to quantify just how many financial institutions have been affected. As the blog post by Threatpost mentions, InPage is used by millions, with India and Pakistan consisting of 10 million users alone. It will be interesting to see if the public pressure is enough to move InPage developers to action.
Photo credit: 401kcalculator.org