Meaning and Definition: Zero-Day Vulnerability
A zero-day (a.k.a. 0-day) vulnerability is a flaw or weakness in a system that has been identified by hackers (Either white hat or black hat) but it is unknown to, or unaddressed by the system owners, developers, or the general community. Thus, a security vulnerability could be considered a zero-day vulnerability until a patch/update or a mitigation strategy is issued, or the details of the vulnerability is disclosed to the general public.
In some cases, though not incorrect, the term could also be used slightly differently to refer to the situation where no patch or workaround exists for a vulnerability that the vendor might be aware of its existence. In other cases, the term zero-day vulnerability is improperly used to emphasize the fact that a vulnerability is new, though it is known by the vendor and a patch has been already issued to fix it.
A zero-day (a.k.a. 0-day) vulnerability is a flaw or weakness in a system that has been identified by hackers (Either white hat or black hat) but it is unknown to, or unaddressed by the system owners, developers, or the general community. Thus
Though in lots of other resources zero-day vulnerabilities are mistakenly associated only with software, flaws could reside at hardware as well as the software. Thus, it would be more appropriate to use a broader term such as “system” to refer both to software and hardware in the context of zero-day vulnerabilities.
The term zero-day was originally used in the software world as “zero-day software” to refer to the number of days since a new software was released to the public. Eventually, the term found usage in the information security community as “zero-day vulnerability” to refer to the number of days left for the vendors to fix the vulnerabilities that were discovered by attackers first.
What is a Vulnerability?
As a background on terminology, giving the definition of vulnerability could help readers grasp the further discussion of the topic better.
In cyber security, a vulnerability is a flaw or weakness in a system that could be exploited by a threat vector and lets the adversary bypass the implemented protection mechanisms with respect to confidentiality, integrity and availability. Vulnerabilities can allow attackers to gain unauthorized access to resources, steal, modify or destroy data, install malware etc.
Other definitions of security vulnerability as described in NIST and ISO 27005 standards are as follows:
- National Institute of Standards and Technology (NIST): A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
- ISO 27005: A weakness on an asset or group of assets that can be exploited by one or more threats, where an asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization’s mission.
What Causes a Zero-Day Vulnerability?
Any flaw or weakness in the design or implementation of a system or its security controls could cause security vulnerabilities, leading to zero-day vulnerabilities. As discussed briefly above, though first software comes into mind when the topic is vulnerabilities, in fact there exist a number of other causes for security flaws. Following is a more detailed list of causes for security vulnerabilities:
- Operating System Flaws: Operating systems are fundamental in establishing a secure environment. Mostly, due to complexity, operating systems contain lots of vulnerabilities. Known operating system vulnerabilities can be remediated through updates or patches.
- Software Bugs: In addition to operating systems, applications running on top of them also cause vulnerabilities frequently. Pressures over the projects, complexity in software, inadequate security training of the developers or insufficient security testing are some of the reasons that cause vulnerabilities in software. Known software vulnerabilities can be eliminated through updates or patches. To learn more about what are the common errors that causes vulnerabilities in software, you can refer to Top 25 Most Dangerous Software Weakness, published by the MITRE Organization.
- Hardware/Firmware Flaws: Not only the software, but also the hardware contain vulnerabilities. Moreover, they are harder to detect, awkward to fix and usually more critical than software vulnerabilities.
- Communication or Security Protocol Flaws: Sometimes vulnerabilities arise due to design flaws in the protocols rather than their implementation whether as software or hardware. For instance, a weakness in a cryptographic algorithm (E.g., DES has known weaknesses) or a communication protocol (E.g., Telnet does transmit data in clear text).
- Misconfigurations: Vulnerabilities could also arise due to misconfigurations in a system. Default configurations might cue vulnerable or secure initial configurations could be changed later inadvertently or due to user needs.
With efficiency, you focus in making the entire program faster. If there is one or two outlier cases, you typically don’t worry about them. But with security, it’s exactly the opposite. You secure the average but the outliers are really the ones you worry about. Because those are the ones that attackers look for.Matt Bishop
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
Frequently, the term “zero-day” is used together with other related terms, such as exploit and attack, and often interchangeably. However, these terms do not convey the same meaning and there are slight differences between them. Thus, a quick overview of these related terms should prove useful in discussing zero-day vulnerabilities.
A zero-day exploit is the method of taking advantage of a zero-day vulnerability to attack vulnerable systems.
Note that, not all zero-day vulnerabilities turn into zero-day exploits. This happens when a vendor issues a patch or workaround for a zero-day vulnerability before attackers would have the chance to develop an exploit for it. It is most of the case when developing an exploit requires significant amount of time and expert level knowledge even though theoretically it is possible to exploit a vulnerability.
Regarding the exploitability of vulnerabilities, there even exists a metric, i.e., “Exploit Code Maturity (E)”, in Common Vulnerability Scoring System (CVSS) to define the criticality of vulnerabilities according to the availability (existence) and maturity of corresponding exploits. This is illustrated in Figure 1.
As a method exploitation, a zero-day malware is a variety of malicious software designed to harm or exploit any programmable device or network. Types of malware can include viruses, worms, Trojan horses, root kits, ransomware, bots, adwares, spywares etc. In this article, we will define several of the most common malware types.
A zero-day attack is the use of a zero-day exploit by the attackers to cause damage or steal data from a system that is affected by a zero-day vulnerability.
How to Protect Against Zero-Day Attacks?
Since zero-day attacks are unknown to the public (including the vendors), it is often difficult to defend against them with specific countermeasures, such as firewall or IDS/IPS (Intrusion Detection & Prevention System) rules or anti-malware signatures. This makes such attacks a severe security threat as they are highly likely to succeed. However, a number of best security practices can be employed as preventive mechanisms to protect systems against zero-day exploits. These practices include:
- Reduce Attack Surface: Ensure that systems are not running unneeded services or protocols.
- Use Firewalls: Enable both network-based and host-based firewalls to limit potentially malicious traffic.
- Use IDS/IPS: Use intrusion detection and prevention systems to detect and block malicious activity.
- Record Logs: Keep activity logs to investigate any suspicious activity in computer systems.
- Implement Honeypots: Use of honeypots can help in identifying malicious activity and reveal the attack method.
How to Respond When a Zero-Day Vulnerability is Announced
When a zero-day vulnerability is announced, most vendors take immediate action to develop a patch to protect their users as early as possible against zero-day attacks. However, the length of time between the announcement of a zero-day vulnerability and delivery of a patch for it (a.k.a. attack window) can vary depending on the diligence of the vendor and the complexity of developing a proper fix.
For this reason, temporal actions to mitigate existing vulnerabilities should be taken until fixes can be applied to remediate and get rid of the vulnerabilities completely.
Actions to mitigate a vulnerability could be one or some of the following.
- Blocking a port on a firewall (on a network or host) that could expose a vulnerability to malicious actors.
- Limiting the use of the vulnerable software to a separated network or a select list of users.
- Disabling the vulnerable software temporarily.
Examples of Zero-Day Attacks
Stuxnet is considered by many to be one of the most complex computer worms ever and stands out possibly as the most famous example of zero-day attacks. It was first discovered in 2010, with its roots dating back to 2005. The primary target of the attack was the Iran’s uranium enrichment plants with the intention of disrupting the country’s nuclear activities. The worm used the MS Windows print spooler flaw, as well as other zero-day vulnerabilities to infect manufacturing computers running PLCs (Programmable Logic Computers) and cause unexpected behavior on the uranium enrichment centrifuges.
To give another notable example, the security company RSA (The company founded by Ronald Rivest, Adi Shamir and Leonard Adleman, who developed the RSA encryption algorithm in 1977) was targeted by the hackers in 2011. Attackers took advantage a zero-day vulnerability in Adobe Flash Player to gain access to the company network to steal sensitive information on the company’s products and ongoing research. Specifically, employees were sent emails with a malicious Excel spreadsheet attachment that installed the Poison Ivy remote administration tool due to the zero-day vulnerability on the Flash Player.
What was named as Operation Aurora was a series of zero-day attacks that took place in 2009. The primary goal of the attack was to gain access to and potentially modify source code repositories quite a number of famous tech companies, including Google, Yahoo, Adobe Systems, Juniper Networks, Symantec etc. The attack took advantage of a zero-day vulnerability in Internet Explorer (CVE-2010-0249) as well as another zero-day vulnerability that existed in the software version control software (Perforce) used by Google.
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?