zero-day vulnerability

What is a zero-day vulnerability?

A zero-day vulnerability is a security loophole in software, hardware or firmware that threat actors exploit before the vendors can identify and patch it.

Initially, zero-day indicated the time since a new software release, where zero-day software was obtained through hacking into a developer's system before release. Gradually, the term broadened to include the vulnerabilities enabling these hacks and the time vendors had to resolve them.Top of Form

Once a zero-day vulnerability has been made public, it is known as an n-day or one-day vulnerability.

How does a zero-day vulnerability happen?

Ordinarily, when someone detects that a software program or an app contains a potential security issue, that person or company will notify the software company (and sometimes the world at large) to take action. Given time, the software company can fix the malicious code and distribute a security patch or software update. Even if potential attackers hear about the vulnerability, it might take them some time to exploit it; meanwhile, the fix will hopefully become available first.

Sometimes, however, a malicious hacker might be the first to discover the vulnerability. Since the vulnerability isn't known in advance, there is no way to guard against the exploit before an attack happens. Companies exposed to such exploits can, however, institute procedures for early detection.

Ethical security researchers try to cooperate with software vendors and usually agree to withhold all details of zero-day vulnerabilities for a reasonable period before publishing those details. For example, Google's Project Zero -- a team of security researchers that studies zero-day vulnerabilities -- follows industry guidelines, giving vendors up to 90 days to patch a typical vulnerability before publicly disclosing the flaw. If criminals are actively exploiting a zero-day vulnerability, however, Project Zero may reduce the response time to seven days or less.

Zero-day vulnerability vs. zero-day attack vs. zero-day exploit

Zero-day vulnerabilities, zero-day attacks and zero-day exploits are all interrelated terms:

• Zero-day vulnerability. As mentioned above, a zero-day vulnerability refers to a previously unknown security gap that hasn't been publicly disclosed or patched by the vendor. The term zero-day indicates that the vendor has had zero days to address the issue. Cybercriminals can exploit these vulnerabilities to compromise systems, steal data, or launch other types of cyberattacks before the vendor becomes aware of the issue and releases a patch.
• Zero-day attack. A zero-day attack occurs when a cybercriminal exploits a zero-day vulnerability. They do this by taking advantage of the security flaw before the vendor releases a patch or fix for it, often through tactics such as launching malware attacks. Zero-day attacks are particularly dangerous because they can be launched silently, without any warning or defense in place.
• Zero-day exploit. This is the specific technique or piece of code that an attacker uses to exploit a zero-day vulnerability. Through this attack vector, the attacker enters a system or network without authorization. Zero-day exploits are frequently very complex and can be created covertly or shared by hackers on the dark web.

Zero-day exploit detection

A zero-day exploit tends to be difficult to detect. This is because the traditional threat detection methods, such as signature-based approaches and databases of known threats, are ineffective against them. Since zero-day exploits exploit vulnerabilities that are not yet known to the vendor or security community, there are no existing signatures or patterns for security systems to recognize and block them. Antimalware software, intrusion detection systems (IDSes) and intrusion prevention systems (IPSes) also can't recognize the attack signature because one doesn't yet exist. However, the following detection techniques can often prevent zero-day exploits from evading detection:

User behavior analytics

User behavior analytics is the best way to detect a zero-day attack. Most of the entities authorized to access networks exhibit certain usage and behavior patterns that are considered to be normal. Activities falling outside of the normal scope of operations could be an indicator of a zero-day attack.

For example, a web application server normally responds to requests in specific ways. If outbound packets are detected exiting the port assigned to that web application, and those packets do not match anything that would ordinarily be generated by the application, it is a good indication that an attack is happening.

Statistical anomaly detection

Anti-malware companies publish data about exploits they've previously identified. This information can be utilized to build and train machine learning models for detecting ongoing attacks. However, this method might struggle to identify and prioritize sophisticated, new cyberthreats, resulting in potential inaccuracies, such as false positives and false negatives.

Vulnerability scanning

Vulnerability scanning isn't foolproof, but it can simulate attacks on software code, conduct code reviews and try to find new vulnerabilities that may have been introduced after a software update. Therefore, by taking a proactive stance, some zero-day exploits may be revealed before they are even utilized.

ASM tools

Attack surface management (ASM) tools assess the network from a hacker's perspective, focusing on how threat actors are likely to exploit assets to gain access. According to Gartner, Microsoft Defender, Falcon Surface CrowdStrike and Halo Security are a few examples of ASM tools.

By enabling organizations to explore their networks through the eyes of an attacker, ASM tools can help uncover zero-day vulnerabilities.

Zero-day exploit period

The zero-day exploit period refers to the timeframe during which a zero-day vulnerability is actively exploited by attackers before a fix through patch management is released by the vendor.

Some zero-day attacks have been attributed to advanced persistent threat (APT) actors, including hacking or cybercrime groups affiliated with or part of national governments. Experts believe attackers, especially APTs or organized cybercrime groups, reserve their zero-day exploits for high-value targets.

N-day vulnerabilities continue to live on and are subject to exploits long after vendors have released corrective software patches. For example, in 2017, a vulnerability in the Apache Struts web framework was reported and a patch was released. The credit bureau Equifax, however, failed to execute the patch. Later that year, attackers exploited the unpatched vulnerability, resulting in a breach. Likewise, researchers continued to find zero-day vulnerabilities in the Server Message Block protocol, utilized in the Windows operating system (OS) for many years.

Once a zero-day vulnerability is made public and a patch released, users should update their systems accordingly. Many fail to do so, however, and attackers continue to exploit the vulnerabilities for as long as unpatched vulnerable systems remain exposed on the internet.

Defending against zero-day attacks

Zero-day exploits are difficult to defend against because they are so difficult to detect. Vulnerability scanning software relies on malware signature checkers to compare suspicious code with signatures of known malware; when the malware uses a zero-day exploit that has not been previously encountered, such vulnerability scanners will fail to block the malware.

Since, by definition, a zero-day vulnerability can't be known in advance, there is no way to guard against a specific exploit before it happens. However, there are some things that companies can do to reduce their level of risk exposure and security risks. These include the following:

• Network segmentation. To prevent zero-day attacks, companies could use virtual local area networks to segregate some areas of the network or use dedicated physical or virtual network segments to isolate sensitive information flowing between servers.
• Encryption. Organizations can use IPsec, the Internet Protocol (IP) security protocol, to apply encryption and authentication to network traffic.
• IDS and IPS. Deploying an IDS or IPS can help against zero-day attacks. Although signature-based IDS and IPS security products may not be able to identify the attack, they may be able to alert defenders to malicious activity that occurs as a side effect of the attack.
• Network access control. Organizations should use network access control to prevent rogue machines from gaining access to crucial parts of the enterprise environment.
• Securing wireless access points. Locking down wireless access points and using a security scheme such as Wi-Fi Protected Access (WPA) 2 for maximum protection against wireless-based attacks can help mitigate zero-day attacks.
• System patches and updates. All systems should be patched and up to date. Although patches will not stop a zero-day attack, keeping network resources fully patched may make it more difficult for such an attack to succeed. When a zero-day or n-day patch does become available, organizations should apply it as soon as possible.
• Vulnerability scanning. Companies should also perform regular vulnerability scanning against enterprise networks and lock down any security vulnerabilities that are discovered.
• Next-generation antivirus (NGAV) options. Traditional antivirus software relies on known quantifiers such as signature-based detection methods to detect malware. However, to protect against the unknown nature of zero-day malware, organizations can use NGAV options, which utilize machine learning to detect zero-day malware.
• Runtime application self-protection. RASP is the most recent development in zero-day attack mitigation and defense. RASP agents are embedded within applications, analyzing request payloads alongside the application code during runtime to distinguish between legitimate and malicious requests, empowering applications to protect themselves.
• Threat intelligence. Organizations can utilize threat intelligence feeds and information-sharing communities to stay informed about emerging threats and zero-day vulnerabilities. By actively monitoring for indicators of compromise related to zero-day attacks, organizations can effectively defend against such threats.
• Zero-day initiative and buy bounty program. The zero-day initiative and bug bounty program are initiatives that reward security researchers and software developers for responsibly disclosing zero-day vulnerabilities rather than selling them on the black market. Researchers submit their findings to the program. If verified, they receive financial compensation, recognition and assistance in responsibly disclosing the vulnerability to the affected vendor. This can help in identifying and addressing zero-day vulnerabilities before they are exploited by malicious actors.

While maintaining a high standard for cybersecurity hygiene might not prevent all zero-day attacks, it's the best line of defense against unrecognizable exploits.

Examples of zero-day attacks

Multiple zero-day attacks occur each year. Some examples of past and recent zero-day attacks include the following:

• In 2016, for example, there was a zero-day attack (CVE-2016-4117) that exploited a previously undiscovered flaw in Adobe Flash Player. Also in 2016, more than 100 organizations succumbed to a zero-day bug (CVE-2016-0167) that was exploited for an escalation of privilege attack targeting Microsoft Windows.
• In 2017, a zero-day vulnerability (CVE-2017-0199) was discovered in which a Microsoft Office document in rich text format was shown to be able to trigger the execution of a visual basic script containing PowerShell commands upon being opened. Another 2017 exploit (CVE-2017-0261) used encapsulated PostScript as a platform for initiating malware infections.
• The Stuxnet worm was a devastating zero-day exploit that emerged in 2010 and targeted supervisory control and data acquisition (SCADA) systems by first attacking computers running the Windows OS. Stuxnet exploited four different Windows zero-day vulnerabilities and spread through infected USB drives, making it possible to infect both Windows and SCADA systems remotely without attacking them through a network. The Stuxnet worm has been widely reported to be the result of a joint effort by U.S. and Israeli intelligence agencies to disrupt Iran's nuclear program.
• In 2021, Log4Shell, a zero-day vulnerability within the Log4J Java library, enabled hackers to remotely control devices running Java apps. Its widespread use in programs including Apple iCloud and Minecraft, put millions of devices at risk, earning it a perfect 10 out of 10 risk score in MITRE's Common Vulnerabilities and Exposures (CVE) database. Despite efforts, security researchers noted over 100 Log4Shell attacks per minute at their peak.
• The WordPad NTLM Hash Disclosure (CVE-2023-36563) was discovered in 2023. This software vulnerability detected in Microsoft WordPad could potentially enable attackers to extract a user's NTLM hash, which may then be utilized for password-cracking purposes.
• In 2024, a critical command injection vulnerability, CVE-2024-3400, was found in Palo Alto Networks PAN-OS software's GlobalProtect feature. It affects versions PAN-OS 12.0, PAN-OS 11.0, and PAN-OS 11.1, with a CVSS score of 10. Exploitation enables unauthenticated attackers to execute arbitrary code with root privileges on the firewall.
• On May 9, 2024, a high-severity Google vulnerability that affects the V8 JavaScript and WebAssembly engine was listed as CVE-2024-4761. It is an out-of-bounds write bug.

Zero-day vulnerabilities are on the rise. A report compiled from Google's Threat Analysis Group (TAG) and Mandiant indicates that 97 zero-day vulnerabilities were exploited in 2023, marking a significant rise from the 62 identified in 2022.

Discover the top 10 information security issues that IT teams must deal with, from phishing and malware to insider threats and data breaches. Ensure that the IT teams are well-informed and ready to protect the organization's digital assets.