zero-day exploits and vulnerabilities

You’ve probably heard the expression “zero-day” before. The term was initially coined to describe pirated media (music, movies, software, games) in the early days of file-sharing. Pirated media was referred to as a “zero-day” when made available on the same day or before the official release. It is made public zero days after it is officially released.

But that was then, and this is now. Today, the expression “zero-day” describes software vulnerabilities and exploits. In the world of IT, a zero-day vulnerability is a software bug of which the public and the vendor are not aware. We can also apply the expression “zero-day” to known vulnerabilities with no available patch.

A zero-day exploit is quite simply an attack that exploits the zero-day vulnerability to compromise a user, system, app, network, etc. And by the time the vendor becomes aware of it, they have zero days to fix it, as it’s already been actively exploited.

How do zero-day exploits work?

  1. A vendor develops a software product (an operating system, an application, a library, etc.), that contains vulnerable code, unbeknownst to them at the time, through a programming error or oversight.
  2. The vulnerability is unknown by the vendor, or no current patch exists to mitigate the vulnerability.
  3. A malicious actor scans various organizations’ networks, websites, etc., and eventually discovers the vulnerability. They then craft an exploit to take advantage of it.
  4. An attack is mounted using the exploit against an organization (network, server, website, web app, etc.). The result of the attack can be almost anything (denial of service, server takeover, compromised credentials, etc.).
  5. The vulnerability is disclosed, and the vendor has zero days to mitigate the attack either because the attack is what tipped them off or because they simply do not know how to patch the vulnerability yet.
  6. If the attack is mounted using malware, antivirus signatures are typically released a few days after the disclosure has occurred.
  7. A few days or weeks later, depending on the complexity of the exploit, a security patch is released.

Bear in mind that it can sometimes take years for organizations to realize their code hosts a zero-day vulnerability – or worse, that they’ve fallen victim to a zero-day attack and were unaware of it.

What do zero-day exploits target?

A zero-day vulnerability can be found in anything that was coded (software) and in the components that support the code (hardware). Anything that resembles a computer (and let’s face it, what isn’t a computer today?) can contain a zero day.

A zero-day attack can exploit vulnerabilities in a wide variety of systems, such as:

  • Web browsers
  • Operating systems
  • Applications
  • Open-source components
  • Computer hardware
  • Routers
  • Device firmware
  • Internet of Things (IoT) devices
  • Even automobiles nowadays

IoT devices are particularly problematic since users typically have minimal access or control over them. IoT device users need to rely on the vendor to issue firmware updates and security patches. There’s not much you can do on your own with those devices (including your connected car).

Consumer routers face the same issue. These off-the-shelf devices tend to be used for years, if not decades, and software patches for these devices are incredibly rare. Many vendors would rather focus on producing and selling the next-generation model rather than spending their time and resources ensuring the security of existing devices.

Notable zero-day attacks

Google Chrome

In December 2021, Google’s Chrome browser was found to be vulnerable to a series of zero-day exploits. While Google quickly issued updates, it did not disclose the nature of the vulnerabilities it found. That was to prevent them from being exploited further before users had time to update. Nonetheless, it was revealed that the vulnerability originated from a bug in the V8 JavaScript engine used by the Chrome browser.

Apple iOS

In May 2021, Apple’s iOS and iPadOS were revealed to be vulnerable to two zero-day exploits. Both of the vulnerabilities affected the operating system’s browser engine, Webkit. Webkit is the default backend for web browsers running on the platforms. Hence, third-party browsers were also affected. The exploit allowed for the execution of arbitrary code on the device after it processes maliciously crafted web content – that’s Apple’s way of saying a malicious URL. Both the vulnerabilities have since been patched.

Zoom

In April 2020, a zero-day vulnerability was found in Zoom‘s popular video conferencing platform. The vulnerability affected Zoom software on both PC and Mac. The attackers injected code into the machines of users who clicked on a malicious URL sent to them through the application’s built-in chat functionality. Zoom issued an update that patched the vulnerability a few days after the disclosure.

Microsoft Windows

In 2019, Microsoft Windows was found to be vulnerable to a zero-day privilege escalation attack. The targets were various government institutions in Eastern Europe. The zero-day vulnerability was exploited through a phishing attack. If the unsuspecting users clicked a malicious link or attachment, the attacker could compromise the user’s machine and escalate its local privileges. That allowed the attacker to run arbitrary code, install applications, and modify data within compromised applications. Microsoft quickly rolled out a security patch after the vulnerability became public.

Microsoft Word

In 2017, a Microsoft Word zero-day vulnerability was exploited to download the Dridex banking trojan onto victims’ machines. When users of Microsoft Word opened the maliciously crafted document, a prompt was displayed to “load remote content” to display the document properly. If the users clicked the button to allow the remote content, it would trigger the download of the banking trojan. Once installed, Dridex could do many things, such as deleting files or setting up its own virtual network. Another of its tricks was its ability to infiltrate web browsers, detect when a user is on an online banking web page or application, and inject malware or key-logging software to steal the user’s login credentials.

Stuxnet

And let’s not forget Stuxnet: one of the most famous examples of a zero-day attack. Stuxnet was first discovered in 2010 when it was found to target Iran’s uranium enrichment plants in an attempt to derail its nuclear program. Stuxnet was initially found on USB thumb drives and quickly spread through Microsoft Windows computers. The Stuxnet malware targeted computers running programmable logic controller (PLC) software, which used Siemens’ Step 7 software. Step 7 is used by industrial computers serving as PLCs to automate and monitor electro-mechanical equipment. Once a Windows machine running Step 7 was found, Stuxnet would start sending damaging instructions to the electro-mechanical equipment controlled by the PC. Stuxnet would also send false feedback back to the main controller as that was happening. Those monitoring the equipment had no idea something was wrong until the equipment started to self-destruct.

How to detect zero-day attacks

The nature of zero-day vulnerabilities means that they’re detected once it’s too late (i.e., once they’ve already been exploited). While, by definition, you won’t be able to prevent the attack, here are a few things you can do to shorten your response time:

  • Scanning internet traffic to identify suspicious patterns
  • Examining the code of incoming files over your network
  • Scanning for malware

Again, this won’t save you from a zero-day attack, but cutting down your response time can significantly reduce the damage if such an attack were to occur.

How to prevent zero-day attacks

The main characteristic of zero-day exploits is being unknown (or known but currently unpatchable) rather than being a specific type of attack. Because of that, defending against zero-day attacks requires casting a wide net with general measures rather than targeted ones. Here’s how you can skew the odds of avoiding zero-day attacks more in your favor. But remember, nothing is 100% here.

For organizations

  • Keep your software up to date – Always make sure that you’re using the latest version of whatever software you’re using in your organization and on your network. Running the latest versions ensures that you’ve installed the latest security patches and that your defenses are optimal. Software updates also include many bug fixes, and the fewer bugs in your software, the safer you are from zero-day attacks.
  • Limit the number of applications you use – The more applications you use, the larger your attack surface. You should only install the software packages you actually need and use. Every new app you install comes with potential bugs, increasing the chances that one of them (or more) will be exploited. The leaner your system, the more secure it is.
  • Perform penetration testing and set up a bug bounty program – You can attempt to stay ahead of the curve by performing in-house pen testing and having a bug bounty program. You could discover the next zero day vulnerability by performing pen testing on your infrastructure. And a bug bounty program can mobilize whitehat hackers to find them for you. Either one of these practices could save you from a zero-day attack. Make sure you do both.
  • Use a firewall – A firewall enables you to monitor and block suspicious activity according to almost any relevant criteria, such as protocol, port, mime type, etc. Monitoring and blocking suspicious traffic could save you from a zero-day attack even if parts of your infrastructure were vulnerable.
  • Educate your organization on zero-day exploits – Make sure the relevant stakeholders in your organization are aware of the threat of zero-day exploits. Provide training to your staff to keep zero days in mind as they code, perform QA, etc.
  • Have a zero-day contingency plan – Hopefully, you won’t fall victim to a zero-day attack. But if you do, having a plan, knowing how to react, what to shut down, will definitely work out better for you than running around trying to figure out what to do. Being prepared may sound like boy scout advice, but it can make all the difference in an emergency situation.
  • Use antivirus software – While technically, an antivirus wouldn’t detect an unknown vulnerability, some zero-day exploits piggyback on other exploits, so an antivirus might still help you out. Also, certain exploits are crafted by modifying existing exploits that may still resemble the original enough to be detected by your antivirus. Of course, there’s no guarantee for this, but this is an odds game. You want the odds to be in your favor as much as possible.

For individuals

  • Use a firewall – Every major operating system provides a built-in incoming firewall, and all off-the-shelf commercial routers have a built-in NAT firewall. Ensure you enable them.
  • Never click on pop-ups – Never.
  • If your browser displays a warning about the website you’re attempting to access, pay attention and find the information you need elsewhere.
  • Never download pirated software – Everybody likes free products but remember that those who upload pirated software are typically looking to make money, either by compromising your system or selling your information to other bad actors.
  • Only buy well-reviewed and genuine security software from legitimate vendors.
  • Only open email attachments if you trust the sender and you can verify their identity – viruses do come in the mail, and that’s why you should always scan your incoming mail with an antivirus program.
  • Keep your applications updated – Malware and viruses very often exploit security flaws found in outdated software.
  • Make regular backups of your computer – Regular backups will allow you to recover your files if your machine becomes infected.
  • If you receive an email asking for information while claiming to be from an official organization with which you have a relationship, read it very carefully before you do anything. Does it have spelling and grammar mistakes? Does it have an air of urgency? These are classic signs of a phishing attempt. And always remember that your bank or the government will never ask you to send them sensitive information by email.
  • Don’t click links (URLs) in emails unless you know exactly who sent it and where it links. Also, scrutinize the link. Is it an HTTP or an HTTPS link? Most legitimate sites use HTTPS today. Does the link contain spelling errors (gooogle instead of google)? If you can get to the destination without using the link, it’s highly recommended to do that instead.

Wrap-up

So there you have it. Zero-day vulnerabilities and exploits are nasty business. And because you can’t specifically defend against them because they’re by definition unknown (or known but currently unpatchable), you need to rely on general security practices, like the ones above. They won’t protect you 100% of the time, but they’ll definitely reduce the odds of your organization falling victim to an attack. And all of the practices listed above are things you should be doing anyway.

Stay safe.