What is a zero-day vulnerability?
Undoubtedly, you’ve heard the term zero-day thrown around in news stories and blogs describing a cyberattack, but what sets a zero-day exploit apart from the rest of the motley crew of malware that inhabits the dark corners of the internet?
The term zero-day is used to denote how many days the vendor has had to fix the potential exploit.
Zero-day exploit vs. zero-day vulnerability
There are two terms that can accurately describe a zero-day flaw.
The most commonly used is a zero-day attack or exploit which describes an exploit actively being abused.
The other is a zero-day vulnerability. These are usually less pressing. Many times, quality assurance testers have already located these exploits. Or in some cases, a competitor will stumble upon one. It is rare these are disclosed publicly until a patch has been found.
A zero-day vulnerability does not mean it is being actively exploited. However, the vulnerability will likely be exploited if left unpatched.
Which zero-day flaw is more dangerous?
In the world of software security, zero-day exploits carry more potential to do damage. Depending on the nature of the exploit, they can steal data, cause software to malfunction, or perform tasks that benefit the hacker, such as cryptojacking or enrolling your computer to a botnet. They can even reprogram voltage on hardware causing physical damage. Because of the nature of the exploit, this can all happen with your software provider and antivirus program being caught totally unaware until they are discovered.
Examples of zero-day flaws
In March of this year Google, in conjunction with Microsoft, sent out a warning that they had found a new vulnerability in Microsoft’s most popular operating system, Windows 7. In the same announcement, Google revealed a similar vulnerability in Chrome, Google's browser. The Chrome vulnerability had been fixed by the time the release had been published, but the Windows 7 vulnerability had not. The announcement revealed exploits that potentially would have left gaping back doors in both pieces of software that would allow a hacker to read and steal sensitive files on the user's computer.
A month earlier an exploit that allows a hacker to completely take over a victim's computer was found in WinRaR, an extraction and compression program. A file that had not been updated since 2005 was said to have caused the weakness. In this situation, hackers had actively exploited the weakness over 100 times when it was located. The hole wasn’t fixed until nearly a week after the initial press release.
Microsoft in December of 2018 released a statement that revealed the defunct internet browser, Internet Explorer, had a backdoor that hackers were actively exploiting. The exploit had been abused for an undisclosed amount of time. Microsoft released an emergency patch to fix the susceptibility soon after, and a warning advising customers to stop using the browser due to “perils of using Internet Explorer”. Recorded Future has since listed this as the most targeted vulnerability in the world.
Software debuggers can find zero-days using several different methods.
One of the more common is called fuzz testing. Fuzz testing bombards the device or software with random data to make it crash. When the desired result happens, the programmer will attempt to duplicate the crash and take appropriate action. Fuzz testing is considered a brute force attack, and an older method of quality assurance testing but one that is still widely used.
Why you should care about zero-day flaws
Vendors can substantially limit the damage a zero-day exploit can cause by catching it as soon as possible. However, catching vulnerabilities before they become exploited by hackers is both costly and time-consuming. With end of life software still on the market with a high user base, Windows 7 and Internet Explorer, for instance. If a zero-day exploit is found after the January end of life in 2020 for Windows 7, it leaves many users exposed to various types of malware.
If you’re still using Windows 7 and don’t have a migration plan in place, don’t delay on getting started. The cybercriminals aren’t wasting a minute!