Zero-day vulnerability
A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it.[1] Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.[2]
The term "zero-day" originally referred to the number of days since a new piece of software was released to the public, so "zero-day software" was obtained by hacking into a developer's computer before release. Eventually the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them.[3][4][5] Vendors who discover the vulnerability may create patches or advise workarounds to mitigate it – though users need to deploy that mitigation to eliminate the vulnerability in their systems. Zero-day attacks are severe threats.[6]
Attack vectors[edit]
Potential attack vectors for a zero-day vulnerability are identical to known vulnerabilities and those that have available patches. For example, when a user visits a rogue website, malicious code on the site can exploit unpatched vulnerabilities in a Web browser. Web browsers are a particular target for criminals because of their widespread distribution and usage. Cybercriminals, as well as international vendors of spyware such as Israel’s NSO Group,[7] can also send malicious e-mail attachments via SMTP, which exploit vulnerabilities in the application opening the attachment.[8] Exploits that take advantage of common file types are numerous and frequent, as evidenced by their increasing appearances in databases such as US-CERT. Criminals can engineer malware to take advantage of these file type exploits to compromise attacked systems or steal confidential data.[9]
The time from when a software exploit first becomes active to the time when the number of vulnerable systems shrinks to insignificance is known as the window of vulnerability.[10] The timeline for each software vulnerability is defined by the following main events:
Thus the formula for the length of the window of vulnerability is: t2 − t1b.
In this formulation, it is always true that t0 ≤ t1a, and t0 ≤ t1b. Note that t0 is not the same as day zero. For example, if a hacker is the first to discover (at t0) the vulnerability, the vendor might not learn of it until much later (on day zero).
For normal vulnerabilities, t1b > t1a. This implies that the software vendor was aware of the vulnerability and had time to publish a security patch (t1a) before any hacker could craft a workable exploit (t1b). For zero-day exploits, t1b ≤ t1a, such that the exploit becomes active before a patch is made available.
By not disclosing known vulnerabilities, a software vendor hopes to reach t2 before t1b is reached, thus avoiding any exploits. However, the vendor has no guarantees that hackers will not find vulnerabilities on their own. Furthermore, hackers can analyze the security patches themselves, and thereby discover the underlying vulnerabilities and automatically generate working exploits.[11] These exploits can be used effectively up until time t2.
In practice, the length of the window of vulnerability varies between systems, vendors, and individual vulnerabilities. It is often measured in days, with one report from 2006 estimating the average as 28 days.[12]
Protection[edit]
Zero-day protection is the ability to provide protection against zero-day exploits. Since zero-day attacks are generally unknown to the public, it is often difficult to defend against them. Zero-day attacks are often effective even against "secure" networks and can remain undetected even after they are launched. Thus, users of so-called secure systems must also exercise common sense and practice safe computing habits.[13]
Many techniques exist to limit the effectiveness of zero-day memory corruption vulnerabilities such as buffer overflows. These protection mechanisms exist in contemporary operating systems such as macOS, Windows Vista and beyond , Solaris, Linux, Unix, and Unix-like environments; Windows XP Service Pack 2 includes limited protection against generic memory corruption vulnerabilities[14] and previous versions include even less. Desktop and server protection software also exist to mitigate zero-day buffer overflow vulnerabilities. Typically, these technologies involve heuristic termination analysis in order to stop attacks before they cause any harm.[15]
It has been suggested that a solution of this kind may be out of reach because it is algorithmically impossible in the general case to analyze any arbitrary code to determine if it is malicious: as such an analysis reduces to the halting problem over a linear bounded automaton, which is unsolvable. It is, however, unnecessary to address the general case (that is, to sort all programs into the categories of malicious or non-malicious) under most circumstances in order to eliminate a wide range of malicious behaviors. It suffices to recognize the safety of a limited set of programs (e.g., those that can access or modify only a given subset of machine resources) while rejecting both some safe and all unsafe programs. This does require the integrity of those safe programs to be maintained, which may prove difficult in the face of a kernel-level exploit.
The Zeroday Emergency Response Team (ZERT) was a group of software engineers who worked to release non-vendor patches for zero-day exploits.
Worms[edit]
Computer worms are intercepted using knowledge about how they infect their hosts. Zero-day worms take advantage of a surprise attack while they are still unknown to computer security professionals. Recent history shows an increasing rate of worm propagation.[16] New worms are difficult to detect, because their infection signatures are unknown, and well-designed worms can spread very quickly throughout the Internet, sometimes with devastating consequences.[17]
Ethics[edit]
Differing ideologies exist relating to the collection and use of zero-day vulnerability information. Many computer security vendors perform research on zero-day vulnerabilities in order to better understand the nature of vulnerabilities and their exploitation by individuals, computer worms and viruses. Alternatively, some vendors purchase information about vulnerabilities to augment their research capacity. An example of such a program is TippingPoint's Zero Day Initiative.
While selling and buying information about vulnerabilities is not technically illegal in most parts of the world, there is a lot of controversy over the method of disclosure. A 2006 German decision to include Article 6 of the Convention on Cybercrime and the EU Framework Decision on Attacks against Information Systems may make selling or even manufacturing vulnerabilities illegal.[18]
Most formal programs follow some form of Rain Forest Puppy's disclosure guidelines or the more recent OIS Guidelines for Security Vulnerability Reporting and Response. In general, these rules forbid the public disclosure of vulnerabilities without notification to the vendor and adequate time to produce a patch.
U.S. government involvement[edit]
NSA's use of zero-day exploits (2017)[edit]
In mid-April 2017 the hackers known as The Shadow Brokers (TSB), who are allegedly linked to the Russian government,[23][24] released files from the NSA (initially just regarded as alleged to be from the NSA, later confirmed through internal details and by American whistleblower Edward Snowden)[25] which include a series of 'zero-day exploits' targeting Microsoft Windows software and a tool to penetrate the Society for Worldwide Interbank Financial Telecommunication (SWIFT)'s service provider.[26][27][28] Ars Technica had reported Shadow Brokers' hacking claims in mid-January 2017,[29] and in April the Shadow Brokers posted the exploits as proof.[29]
(Chronological order)