Zero-day attack: Difference between revisions

A '''zero-day''' (or '''zero-hour''' or '''day zero''') '''attack''' or '''[[threat (computer)|threat]]''' is an [[Attack (computing)|attack]] that exploits a previously unknown [[vulnerability (computing)|vulnerability]] in a [[Application software|computer application]] or [[operating system]], one that developers have not had time to address and patch.<ref>{{cite web |url=http://netsecurity.about.com/od/newsandeditorial1/a/aazeroday.htm |title=About Zero Day Exploits |publisher=Netsecurity.about.com |date=2010-11-11 |accessdate=2012-01-08}}</ref> It is called a "zero-day" because the programmer has had zero days to fix the flaw (in other words, a patch is not available). Once a patch is available, it is no longer a "zero-day exploit".<ref>{{cite web | url = http://www.tomsguide.com/us/zero-day-exploit-definition,news-17903.html | title = What is a Zero-Day Exploit? | first = Elizabeth | last = Palermo | date = 2013-11-22 | work = Tom's Guide }}</ref> It is common for individuals or companies who discover zero-day attacks to sell them to government agencies for use in [[cyberwarfare]].<ref>{{cite web | url = http://grahamcluley.com/2013/07/zero-day-ios-exploit/ | work = Graham Cluely | title = Zero-day exploit in Apple’s iOS operating system 'sold for $500,000 | date = 15 Jul 2013 }}</ref><ref>{{cite web | url = http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html | work = New York Times | title = Nations Buying as Hackers Sell Flaws in Computer Code | date = 14 Jul 2013 }}</ref><ref>{{ cite web | url = http://www.fastcompany.com/3009156/the-code-war/how-spies-hackers-and-the-government-bolster-a-booming-software-exploit-market | work = Fast Company | title = How Spies, Hackers, And the Government Bolster A Booming Software Exploit Market | date = 1 May 2013 }}</ref><ref>{{ cite web | work = Slate | url = http://www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.html | title = Cyberwar’s Gray Market | date = 16 Jan 2013 }}</ref>

==Attack vectors==

[[Malware]] writers are able to exploit zero-day [[vulnerability (computing)|vulnerabilities]] through several different attack [[vector (malware)|vector]]s. Web browsers are a particular target because of their widespread distribution and usage. Attackers can also send e-mail attachments, which exploit vulnerabilities in the application opening the attachment.<ref>{{cite web|author=Jaikumar Vijayan |url=http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005117 |title='&#39;SANS sees upsurge in zero-day web-based attacks'&#39;, '&#39;Computerworld'&#39; |publisher=Computerworld.com |date= |accessdate=2012-01-08}}</ref> Exploits that take advantage of common file types are listed in databases like [[United States Computer Emergency Readiness Team|US-CERT]]. Malware can be engineered to take advantage of these file type exploits to compromise attacked systems or steal confidential data such as banking passwords and personal identity information.<ref>"E-mail Residual Risk Assessment" Avinti, Inc., p. 2 http://avinti.com/download/case_studies/whitepaper_email_residual_risk.pdf</ref>

==Vulnerability window==

Zero-day attacks occur during the vulnerability window that exists in the time between when vulnerability is first exploited and when software developers start to develop and publish a counter to that threat.

For [[computer worm|worm]]s, [[computer virus|virus]]es, [[Trojan horse (computing)|Trojan]]s and other zero-day [[malware]] attacks, the vulnerability window follows this time line:

*The developer creates software containing an unknown vulnerability.

*The attacker finds the vulnerability before the developer does (or while the developer is aware of but has neglected or been unable to fix it).

*The attacker writes an exploit while the vulnerability is either not known to the developer or known but still not closed (''e.g.'', due to an internal assessment of the threat's potential damage costs being lower than the costs of developing a fix), usually also using and distributing it.

*The developer or the public becomes aware of the exploited vulnerability and the developer is forced to start working on a fix, if not already working on one.

*The developer releases the fix.

*The released fix is installed to all user devices.

Conceptually, there is one more event in the zero-day attack time line, which is the users applying the fix, effectively closing the vulnerability window, but that can vary, as some users may simply stop using the affected software as soon as the problem surfaces. Meanwhile, others may never know of it at all, thus never fixing it and thereby keeping the vulnerability window open. Thus, the vulnerability window's length is usually just measured until the developer releases the fix. In any case, once the fix has been made public, the exploit is, by definition, no longer called a ''zero-day'' exploit.

Measuring the length of the vulnerability window can be difficult, as attackers do not announce when the vulnerability was first discovered. Developers may not want to distribute such information for commercial or security reasons. Developers also may not know if the vulnerability is being exploited when they fix it, and so may not record the vulnerability as a zero-day attack. By one estimate, "hackers exploit security vulnerabilities in software for 10 months on average before details of the holes surface in public," ''i.e.'', the average vulnerability window of a zero-day exploit is about 10 months.<ref>{{cite web|last=Leyden|first=John|title=Hackers get 10 MONTHS to pwn victims with 0-days before world+dog finds out|url=http://www.theregister.co.uk/2012/10/24/zero_day_study/|publisher=The Register|accessdate=24 October 2012}}</ref> However, it can be easily shown that this window can be several years long. For example, in 2008, [[Microsoft]] confirmed a vulnerability in [[Internet Explorer]], which affected some versions that were released in 2001.<ref>{{cite news|url=http://news.bbc.co.uk/2/hi/technology/7784908.stm |title=Technology &#124; Serious security flaw found in IE |publisher=BBC News |date=2008-12-16 |accessdate=2012-01-08}}</ref> The date the vulnerability was first found by an attacker is not known; however, the vulnerability window in this case could have been up to 7 years. Some windows may never be closed, for example if they are hardwired in a device, requiring its replacement or the installation of additional hardware to protect the device from exploitation.

=== Reverse engineering patches ===

Sometimes exploitation events are seen shortly after the release of a security patch. By analyzing the patch, exploitation developers can more easily figure out how to exploit the underlying vulnerability,<ref>{{cite web|last=Kurtz |first=George |title=Operation "Aurora" Hit Google, Others |publisher=mcafee.com |date=2010-01-14 |accessdate=2010-01-14 |url=http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/ |archiveurl=https://web.archive.org/web/20100116111012/http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/ |archivedate=2010-01-16}}</ref> and attack the systems that have not been patched. Therefore the term "Exploit Wednesday" (after [[Patch Tuesday]]) was coined.<ref>{{cite web |last=Leffall |first=Jabulani |title=Are Patches Leading to Exploits? |publisher=The Register |date=2007-10-12 |accessdate=2009-02-25 |url=http://redmondmag.com/news/article.asp?editorialsid=9143}}{{dead link|date=April 2014}}</ref>

[[Microsoft]] is warning users that, after it would discontinue support for [[Windows XP]] starting on April 8, 2014, users running Windows XP will take risk of 'zero-day forever' because of reverse engineered security patches for newer Windows versions.<ref>{{cite web |last=Rains|first=Tim|title=The Risk of Running Windows XP After Support Ends April 2014|publisher=Microsoft Security Blog|date=2013-08-15|accessdate=2013-08-27 |url=http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx}}</ref><ref>{{cite web |title=Microsoft Warns of Permanent Zero-Day Exploits for Windows XP|publisher=InfoSecurity|date=2013-08-16 |accessdate=2013-11-11|url=http://redmondmag.com/articles/2013/08/16/windows-xp-zero-day.aspx}}</ref> Ironically, a zero-day vulnerability that was discovered in August 2013 and exploited by hackers compromised every Windows system from Vista to 8.1, but not Windows XP.<ref>{{citation |title=Russian hackers use ‘zero-day’ to hack NATO, Ukraine in cyber-spy campaign |first=Ellen |last=Nakashima |work=Washington Post |date=13 October 2014 |accessdate=14 October 2014 |url=http://www.washingtonpost.com/world/national-security/russian-hackers-use-zero-day-to-hack-nato-ukraine-in-cyber-spy-campaign/2014/10/13/f2452976-52f9-11e4-892e-602188e70e9c_story.html}}</ref>

==Discovery==

A special type of [[Vulnerability management|vulnerability management process]] focuses on finding and eliminating zero-day weaknesses. This unknown vulnerability management lifecycle is a security and quality assurance process that aims to ensure the security and robustness of both in-house and third party software products by finding and fixing unknown (zero-day) vulnerabilities. The unknown vulnerabilities management process consists of four phases: analyze, test, report and mitigate.<ref>Anna-Maija Juuso and Ari Takanen ''Unknown Vulnerability Management'', Codenomicon whitepaper, October 2010 [http://www.codenomicon.com/solutions/unknown-vulnerability-management/].</ref>

*Analyze: this phase focuses on [[attack surface]] analysis

*Test: this phase focuses on [[fuzz testing]] the identified attack vectors

*Report: this phase focuses on reporting of the found issues to developers

*Mitigate: this phase looks at protective measures explained below

==Protection==

'''Zero-day protection''' is the ability to provide protection against zero-day exploits. Zero-day attacks can also remain undetected after they are launched.<ref>{{cite web|url=http://what-is-what.com/what_is/zero_day_exploit.html |title=What is a Zero-Day Exploit? |publisher=What-is-what.com |date= |accessdate=2012-01-08}}</ref>

Many techniques exist to limit the effectiveness of zero-day memory corruption vulnerabilities, such as [[buffer overflows]].{{Citation needed|date=August 2007}} These protection mechanisms exist in contemporary operating systems such as [[Microsoft]] [[Windows 8]], [[Windows 7]], [[Security and safety features new to Windows Vista|Windows Vista]], [[Apple Inc.|Apple's]] [[Mac OS X]], recent [[Oracle Corporation|Oracle]] [[Solaris (operating system)|Solaris]], [[Linux]] and possibly other [[Unix]] and [[Unix-like]] environments; Microsoft [[Windows XP]] Service Pack 2 includes limited protection against generic memory corruption vulnerabilities.<ref>{{cite web|url=http://microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx |title=Changes to Functionality in Microsoft Windows XP Service Pack 2 |publisher=Microsoft.com |date=2004-08-18 |accessdate=2012-01-08}}</ref> Desktop and server protection software also exists to mitigate zero-day buffer overflow vulnerabilities.{{Citation needed|date=August 2007}}<!-- Typically these technologies involve [[heuristic (computer science)|heuristic termination analysis]] -- stopping the attack before it can become effective. {{fact|date=October 2007}} - DEP has nothing to do with HTA -->

"Multiple layers" provides service-agnostic protection and is the first line of defense should an exploit in any one layer be discovered. An example of this for a particular service is implementing [[access control list]]s in the service itself, restricting network access to it via local server [[Firewall (computing)|firewalling]] (i.e., [[Ip tables|IP tables]]), and then protecting the entire network with a hardware firewall. All three layers provide redundant protection in case a compromise in any one of them occurs.

The use of [[port knocking]] or single packet authorization daemons may provide effective protection against zero-day exploits in network services. However these techniques are not suitable for environments with a large number of users.

Engineers and vendors such as Gama-Sec in Israel and DataClone Labs in Reno, Nevada are attempting to provide support with the Zeroday Project,<ref>{{cite web |url=http://dataclonelabs.com/security_talkworkshop/ZDP/ |title=Launch Announcement: The Zero Day Project Announced To Fight Explosion in Web Attacks |date=14 July 2009 |accessdate=11 November 2011}}</ref> which purports to provide information on upcoming attacks and provide support to vulnerable systems.

Keeping the computer’s software up-to-date is very important as well and it does help.

Users need to be careful when clicking on links or opening email attachments with images or PDF files, even if the sender is someone they know. This is how many cyber criminals deceive users, by pretending they are something they are not and gaining the user’s trust, as well as having a virus or other malware email copies of itself to the address lists of infected victims.

Utilize sites with [[Secure Socket Layer]] (SSL), which secures the information being passed between the user and the visited site.

==Ethics==

Differing views surround the collection and use of zero-day vulnerability information. Many computer security vendors perform research on zero-day vulnerabilities in order to better understand the nature of vulnerabilities and their exploitation by individuals, [[computer worm]]s and viruses. Alternatively, some vendors purchase vulnerabilities to augment their research capacity. An example of such a program is TippingPoint's Zero Day Initiative.<ref>{{cite web|url=http://www.zerodayinitiative.com |title=zerodayinitiative.com |publisher=zerodayinitiative.com |date= |accessdate=2012-01-08}}</ref> While selling and buying these vulnerabilities is not technically illegal in most parts of the world, there is much controversy over the method of disclosure. A recent German decision to include Article 6 of the [[Convention on Cybercrime]] in the EU Framework Decision on Attacks against Information Systems may make selling or even manufacturing vulnerabilities illegal.

Most formal efforts follow some form of [[RFPolicy]] disclosure guidelines or the more recent OIS Guidelines for Security Vulnerability Reporting and Response.<ref>http://www.oisafety.org/guidelines/secresp.html</ref> In general, these rules forbid the public disclosure of vulnerabilities without notification to the developer and adequate time to produce a patch.

==See also==

{{Portal|Computer security}}

*[[Access control]]

*[[Industrial espionage]]

*[[IT risk]]

*[[Metasploit Project]]

*[[Network Access Control]]

*[[Network Access Protection]]

*[[Network Admission Control]]

*[[Penetration test]]

*[[Responsible disclosure]]

*[[Targeted threat]]

==Footnotes==

{{reflist|2}}

==References==

{{Refbegin}}

{{Refend}}

*Messmer, Ellen, [http://pcworld.com/article/id,130455/article.html ''Is Desktop Antivirus Dead?''], ''PC World'', April 6, 2007.

*Naraine, Ryan, [http://securitywatch.eweek.com/virus_and_spyware/antivirus_is_dead_dead_dead.html ''Anti-Virus Is Dead, D-E-A-D, Dead!'']{{dead link|date=April 2014}}, ''eWeek'', December 1, 2006.

*Mediati, Nick, [http://www.itnews.com/security/39705/do-you-speak-securitese-five-security-terms-you-should-know?page=0,1 ''Do You Speak Securitese? Five Security Terms You Should Know''], ''PC World'', December 2, 2011.

*Rosa, T.M.; Santin, A.O.; Malucelli, A., [https://secplab.ppgia.pucpr.br/files/papers/2013-3.pdf''Mitigating XML Injection 0-Day Attacks through Strategy-Based Detection Systems ''], ''IEEE Security & Privacy'', vol.11, no.4, pp.&nbsp;46,53, July-Aug. 2013.

==External links==

[[Category:Computer security exploits]]

[[Category:Computer network security]]

[[de:Exploit#Zero-Day-Exploit]]