A zero-day vulnerability, also known as a computer zero day, is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. Zero day may refer to the vulnerability itself, or it may refer to a zero-day exploit, an attack that uses the zero-day vulnerability to attack vulnerable systems.
By definition, the vendor or other owner of the vulnerable system is unaware of the existence of a zero-day vulnerability. If attackers, including researchers working with threat actors, become aware of the vulnerability before defenders, the zero-day vulnerability can be used to create a zero-day exploit.
How zero-day exploits work
A zero-day exploit is an attack that exploits a previously unknown security vulnerability. A zero-day attack is also sometimes defined as an attack that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. In other words, there are "zero days" between the time the vulnerability is discovered and the first attack.
Historically, the vulnerabilities that make zero-day attacks possible have been caused by insecure software development practices. To mitigate these zero-day vulnerabilities, developers must create and release a patch and users, especially enterprises, must install the patch in a timely manner.
When a researcher discovers a security vulnerability in an operating system, application or any other code or system, the researcher or their company often notifies the vendor or manufacturer of the flawed system so action can be taken to either repair the flaw with a patch or offer other mitigations.
Security researchers cooperate with vendors and usually agree to withhold all details of zero-day vulnerabilities for a reasonable period before publishing those details. Google Project Zero, for example, follows industry guidelines that give vendors up to 90 days to patch a vulnerability before the finder of the vulnerability publicly discloses the flaw. For vulnerabilities deemed "critical," Project Zero allows only seven days for the vendor to patch before publishing the vulnerability; if the vulnerability is being actively exploited, Project Zero may reduce the response time to less than seven days.
Some zero-day attacks have been attributed to advanced persistent threat (APT) actors, hacking or cybercrime groups affiliated with or a part of national governments. Attackers, especially APTs or organized cybercrime groups, are believed to reserve their zero-day exploits for high-value targets.
Zero-day exploit detection
Zero-day exploits tend to be very difficult to detect. By definition, these exploits are previously unknown, which means signature-based security tools such as antimalware software, and some intrusion detection systems (IDSes) and intrusion prevention systems (IPSes) are completely ineffective at detecting the exploit, because no attack signature exists.
One effective method for detecting a zero-day attack is user behavior analytics. Most of the entities authorized to access networks exhibit certain usage and behavior patterns that are considered to be normal. Activities falling outside of the normal scope of operations could be an indicator of a zero-day attack.
For example, a web application server normally responds to requests that are considered to be normal for that application; the application, in turn, responds to those requests in specific ways. If outbound packets are detected exiting the port assigned to that web application, and those packets do not match anything that would ordinarily be generated by the application, it is a good indication that an attack is going on.
Zero-day exploit period
Once a zero-day vulnerability has been made public, it is known as an n-day vulnerability (also known as a one-day vulnerability).
These n-day vulnerabilities continue to live on and are subject to exploits long after the vulnerabilities have been patched or otherwise fixed by vendors. For example, the credit bureau Equifax was breached in 2017 by attackers using an exploit against the Apache Struts web framework. The attackers exploited a vulnerability in Apache Struts that was reported, and patched, earlier in the year; Equifax failed to patch the vulnerability and was breached by attackers exploiting the unpatched vulnerability.
Likewise, researchers continue to find zero-day vulnerabilities in the Server Message Block protocol, implemented in the Windows OS for many years. Once the zero-day vulnerability is made public, users should patch their systems, but attackers continue to exploit the vulnerabilities for as long as unpatched systems remain exposed on the internet.
Defending against zero-day attacks
Zero-day exploits are difficult to defend against because they are so difficult to detect. Vulnerability scanning software relies on malware signature checkers to compare suspicious code with signatures of known malware; when the malware uses a zero-day exploit that has not been previously encountered, such vulnerability scanners will fail to block the malware.
Since a zero-day vulnerability can't be known in advance, there is no way to guard against a specific exploit before it happens. However, there are some things that companies can do to reduce their level of risk exposure.
- Use virtual local area networks to segregate some areas of the network or use dedicated physical or virtual network segments to isolate sensitive traffic flowing between servers.
- Implement IPsec, the IP security protocol, to apply encryption and authentication to network traffic.
- Deploy an IDS or IPS. Although signature-based IDS and IPS security products may not be able to identify the attack, they may be able to alert defenders to suspicious activity that occurs as a side effect to the attack.
- Use network access control to prevent rogue machines from gaining access to crucial parts of the enterprise environment.
- Lock down wireless access points and use a security scheme such as Wi-Fi Protected Access 2 for maximum protection against wireless-based attacks.
- Keep all systems patched and up to date. Although patches will not stop a zero-day attack, keeping network resources fully patched may make it more difficult for an attack to succeed. When a zero-day patch does become available, apply it as soon as possible.
- Perform regular vulnerability scanning against enterprise networks and lock down any vulnerabilities that are discovered.
While maintaining a high standard for information security may not prevent all zero-day exploits, it can help defeat attacks that use zero-day exploits after the vulnerabilities have been patched.
Examples of zero-day attacks
Multiple zero-day attacks commonly occur each year. In 2016, for example, there was a zero-day attack (CVE-2016-4117) that exploited a previously undiscovered flaw in Adobe Flash Player. Also in 2016, more than 100 organizations succumbed to a zero day bug (CVE-2016-0167) that was exploited for an elevation of privilege attack targeting Microsoft Windows.
In 2017, a zero-day vulnerability (CVE-2017-0199) was discovered in which a Microsoft Office document in rich text format was shown to be able to trigger the execution of a visual basic script containing PowerShell commands upon being opened. Another 2017 exploit (CVE-2017-0261) used encapsulated PostScript as a platform for initiating malware infections.
The Stuxnet worm was a devastating zero-day exploit that targeted supervisory control and data acquisition (SCADA) systems by first attacking computers running the Windows operating system. Stuxnet exploited four different Windows zero-day vulnerabilities and spread through infected USB drives, making it possible to infect both Windows and SCADA systems remotely without attacking them through a network. The Stuxnet worm has been widely reported to be the result of a joint effort by U.S. and Israel intelligence agencies to disrupt Iran's nuclear program.