From time to time, the information security press headlines seem to go in overdrive: the sky is falling, the world is doomed, and there's nothing anyone can do about it. Coincidentally, a race of life and death is on: malware writers try to exploit as many systems as they can, while vendors frantically publish workarounds or patches outside of their regular schedule, and systems administrators scramble to apply those before they get hacked.
The most common cause of such activity is called a Zero-Day.
What is a Zero-Day?
In the world of pirated digital goods (software, movies, music …), a pirated version is qualified as "Zero-Day" when it is available at the same time as or before the official release. Literally, the pirate version is published zero days after the public release.
In the context of Information Security, the term "Zero-Day" is bandied around by the press. At heart, though, "Zero-Day" is jargon for an exploit for a vulnerability in a piece of software that is not publicly known yet, and by extension to the vulnerability itself. To further add ambiguity, active attacks against these vulnerabilities are also dubbed "Zero-Day" in the media.
This seemingly simple IT security phenomenon has far reaching implications:
- For attackers, a Zero-Day exploit is a sure way of accessing a system;
- For vendors, a Zero-Day vulnerability is a serious security risk for their clients with equally serious business risks for the vendors;
- For users and system administrators, a Zero-Day vulnerability on a software they use is a serious security risk which requires increased caution.
Lifecycle of a Zero-Day
For a Zero-Day exploit to exist, someone needs to know about the associated vulnerability: an increasing number of experts look for Zero-Day vulnerabilities because vendors, governments and criminal organisations pay large amounts of money for them.
Until a Zero-Day vulnerability is made public, attackers will try to use it with caution so as to avoid detection. Once it has been made public, defenders will try to fix it (develop and install patches) as quickly as possible while attackers will try to use the exploit as fast and often as possible.
The publication of internal documents from the company Hacking Team shed light on four Zero-Day exploits: three in Adobe Flash, and one in Microsoft Windows.
The Stuxnet worm used no less than four Zero-Day vulnerabilities in Microsoft Windows in order to propagate and remain undetected.
Given their nature, there is no 100% protection possible against all Zero-Day exploits. Protection will come from a set of measures along with a vigilant security team:
- Monitoring for anomalies, like system crashes or changes in performance can uncover exploitation attempts;
- Internal network segmentation helps mitigate the propagation, by only allowing traffic between systems that must be connected;
- Exploit mitigation software, like Microsoft's EMET, can prevent some exploits from working.