A zero-day vulnerability is a software flaw that is not recognized or detected until exploited by a developer or vendor. They are often difficult to detect until the attacks occur. Attacks happen by abusing this vulnerability and spreading malware without allowing developers to release a patch or fix.
If a software contains a security flaw, a patch or a software update by the developer or the vendor can fix it. However, the vulnerability may be noticed by hackers first. In this case, since the vulnerability is not known in advance, there is no way to protect it against hackers. Those who use these deficiencies can go unnoticed for years. These openings are sold on the black market for a large amount of money. Companies exposed to such abuse may establish procedures for early detection.
If a security researcher, rather than a hacker, finds such a weakness, they cooperate with vendors and generally agree to keep it until the developer issues a patch For example, Google Project Zero has rules that allow the developer or reseller up to 90 days to address this vulnerability before announcing it to the public. However, if the flaw is critical, it only gives the seller or developer 7 days.
It is difficult to oppose Zer0Day attacks because they are hard to detect. Since it is unknown in advance, there is no way to protect against a particular abuse before it happens. However, there are some things companies can do to reduce their risk exposure levels.
- Separate virtual local area networks in some areas or use physical or virtual segment segments by isolating sensitive traffic flowing between servers.
- Using IP security protocol to implement encryption and authentication for IPsec network traffic.
- Although signature-based IDS and IPS security products cannot identify the attack, paying attention to warnings about suspicious activities that have arisen as a side effect of the attack.
- Lock wireless network access points and security plans such as Wi-Fi Protected Access should be used for maximum protection against wireless attacks.
- All systems should be patched or up to date. Although patches cannot stop Zer0Day attacks, keeping network resources completely patched can make it difficult to succeed.
- When a Zer0Day patch is available, use it as soon as possible.
- Lock all vulnerabilities by regularly scanning for vulnerabilities in corporate networks.
- Single packet authorization can help provide effective protection against a less user network against Zer0Day attacks.
If you are affected by a Zer0Day attack, it is critical to implement a comprehensive disaster recovery strategy to reduce damage. This includes a combination of on-premise and cloud-based storage for data backup.
One of the most common recovery methods for these attacks is to physically (or through a network-based firewall) remove all access from anyone who can take advantage of this feature. For example, if WordPress is vulnerable to a zero-day opening that provides full, unauthenticated read / write access, the website should be closed until a patch is released.
The opening is no longer called Zeroday after the patch has been written and put into use. Zeroday flaws may take months or even years to detect.
Zer0Day Attack Examples
- 2010 is known as the “Zero Day Vulnerability Year for Browsers”: Adobe products (Flash, Reader), Internet Explorer, Java, Mozilla Firefox, Windows XP and others were affected by zero-day applications.
- In 2016, there was a zero-day attack (CVE-2016-4117) taking advantage of a previously undiscovered flaw in Adobe Flash Player.
- In 2016, more than 100 organizations lost to a zero-day bug (CVE-2016-0167) exploited due to a privilege attack targeting Microsoft Windows.
- In 2017, a zero-day vulnerability (CVE-2017-0199) showed that a Microsoft Office document in rich text format could trigger the execution of a visual basic script containing PowerShell commands when opened.
- The 2017 exception (CVE-2017-0261) used encapsulated PostScript as a platform to launch malware infections.