A zero-day vulnerability is a vulnerability or bug that is unknown to trusted sources, such as operating system and antivirus vendors. If you’re planning on taking the Security+ exam, you should have a basic understanding of zero-day vulnerabilities.
For example, can you answer this question?
Q. Your organization recently suffered a loss from malware that wasn’t previously known by any trusted sources. Which type of attack is this?
A. Phishing attack
B. Zero-day
C. Buffer overflow
D. Integer overflow
More, do you know why the correct answer is correct and the incorrect answers are incorrect?
Answer and explanation at end of this post.
Zero-Day Exploits
A zero-day vulnerability is a vulnerability or bug that is unknown to trusted sources, such as operating system and antivirus vendors. Operating system vendors write and release patches once they know about them, but until the vendors know about them, the vulnerability remains. As an example, the Heartbleed vulnerability existed for a couple of years before it was widely published. Up until the time that OpenSSL developers released a fix, everyone using it was vulnerable.
Users might adopt the idea that up-to-date antivirus software will protect them from all malware. This simply isn’t true. No matter how great an antivirus company is at identifying new malware, there is always going to be a lag between the time when criminals release the malware and the antivirus company releases new signatures to discover it. This includes malware designed to take advantage of zero-day vulnerabilities.
Remember this
Educating users about new viruses, phishing attacks, and zero-day exploits helps prevent incidents. Zero-day exploits take advantage of vulnerabilities that aren’t known by trusted sources, such as operating system vendors and antivirus vendors.
With this in mind, users need to practice safe computing habits. They can’t depend on the antivirus software and other technical controls to protect them. Some basic guidelines are:
- Don’t click on links within emails from unknown sources (no matter how curious you might be).
- Don’t open attachments from unknown sources (malware can be embedded into many different files, such as Portable Document Format (PDF) files, Word documents, Zip files, and more).
- Be wary of free downloads from the Internet (Trojans entice you with something free but include malware).
- Limit information you post on social media sites (criminals use this to answer password reset questions).
- Back up your data regularly (unless you’re willing to see it disappear forever).
- Keep your computer up to date with current patches (but beware of zero-day exploits).
- Keep antivirus software up to date (but don’t depend on it to catch everything).
Zero-Day Attacks
A zero-day attack is one that exploits an undocumented vulnerability. Many times, the vendor isn’t aware of the issue. At some point, the vendor learns of the vulnerability and begins to write and test a patch to eliminate it. However, until the vendor releases the patch, the vulnerability is still a zero-day vulnerability.
As an example, a bug existed in the virtual DOS machine (VDM) that shipped with every version of 32-bit Windows systems from 1993 to 2010. The bug allowed attackers to escalate their privileges to full system level, effectively allowing them to take over the system. Google researcher Tavis Ormandy stated that he reported the bug to Microsoft in mid-2009. At this point, Microsoft (the vendor) knew about the bug, but didn’t release a work-around until January 2010 and a patch until February 2010. Because the bug wasn’t known publicly until January 2010, it remained a zero-day vulnerability until then.
Both attackers and security experts are constantly looking for zero-day vulnerabilities. Attackers want to learn about them so that they can exploit them. Most security experts want to know about them so that they can help ensure that vendors patch them before causing damage to users.
Remember this
Zero-day exploits are undocumented and unknown to the public. The vendor might know about it, but has not yet released a patch to address it.
Q. Your organization recently suffered a loss from malware that wasn’t previously known by any trusted sources. Which type of attack is this?
A. Phishing attack
B. Zero-day
C. Buffer overflow
D. Integer overflow
B is correct. A zero-day exploit is one that isn’t known by trusted sources such as antivirus vendors or operating system vendors.
Trusted sources know about many phishing attacks, buffer overflow attacks, and integer overflow attacks.