Zero-day vulnerability

Last updated

A zero-day (also known as a 0-day) is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor has zero days to prepare a patch as the vulnerability has already been described or exploited.

Contents

Despite developers' goal of delivering a product that works entirely as intended, virtually all software and hardware contains bugs. Many of these impair the security of the system and are thus vulnerabilities. Although the basis of only a minority of cyberattacks, zero-days are considered more dangerous than known vulnerabilities because there are fewer countermeasures possible.

States are the primary users of zero-day vulnerabilities, not only because of the high cost of finding or buying them, but also the significant cost of writing the attack software. Many vulnerabilities are discovered by hackers or security researchers, who may disclose them to the vendor (often in exchange for a bug bounty) or sell them to states or criminal groups. The use of zero-days increased after many popular software companies began to encrypt messages and data, meaning that the unencrypted data could only be obtained by hacking into the software before it was encrypted.

Definition

Despite developers' goal of delivering a product that works entirely as intended, virtually all software and hardware contain bugs. [1] If a bug creates a security risk, it is called a vulnerability. Vulnerabilities vary in their ability to be exploited by malicious actors. Some are not usable at all, while others can be used to disrupt the device with a denial of service attack. The most valuable allow the attacker to inject and run their own code, without the user being aware of it. [2] Although the term "zero-day" initially referred to the time since the vendor had become aware of the vulnerability, zero-day vulnerabilities can also be defined as the subset of vulnerabilities for which no patch or other fix is available. [3] [4] [5] A zero-day exploit is any exploit that takes advantage of such a vulnerability. [2]

Exploits

An exploit is the delivery mechanism that takes advantage of the vulnerability to penetrate the target's systems, for such purposes as disrupting operations, installing malware, or exfiltrating data. [6] Researchers Lillian Ablon and Andy Bogart write that "little is known about the true extent, use, benefit, and harm of zero-day exploits". [7] Exploits based on zero-day vulnerabilities are considered more dangerous than those that take advantage of a known vulnerability. [8] [9] However, it is likely that most cyberattacks use known vulnerabilities, not zero-days. [7]

States are the primary users of zero-day exploits, not only because of the high cost of finding or buying vulnerabilities, but also the significant cost of writing the attack software. Nevertheless, anyone can use a vulnerability, [4] and according to research by the RAND Corporation, "any serious attacker can always get an affordable zero-day for almost any target". [10] Many targeted attacks [11] and most advanced persistent threats rely on zero-day vulnerabilities. [12]

The average time to develop an exploit from a zero-day vulnerability was estimated at 22 days. [13] The difficulty of developing exploits has been increasing over time due to increased anti-exploitation features in popular software. [14]

Window of vulnerability

Vulnerability timeline Vulnerability timeline.png
Vulnerability timeline

Zero-day vulnerabilities are often classified as alive—meaning that there is no public knowledge of the vulnerability—and dead—the vulnerability has been disclosed, but not patched. If the software's maintainers are actively searching for vulnerabilities, it is a living vulnerability; such vulnerabilities in unmaintained software are called immortal. Zombie vulnerabilities can be exploited in older versions of the software but have been patched in newer versions. [15]

Even publicly known and zombie vulnerabilities are often exploitable for an extended period. [16] [17] Security patches can take months to develop, [18] or may never be developed. [17] A patch can have negative effects on the functionality of software [17] and users may need to test the patch to confirm functionality and compatibility. [19] Larger organizations may fail to identify and patch all dependencies, while smaller enterprises and personal users may not install patches. [17]

Research suggests that risk of cyberattack increases if the vulnerability is made publicly known or a patch is released. [20] Cybercriminals can reverse engineer the patch to find the underlying vulnerability and develop exploits, [21] often faster than users install the patch. [20]

According to research by RAND Corporation published in 2017, zero-day exploits remain usable for 6.9 years on average, [22] although those purchased from a third party only remain usable for 1.4 years on average. [13] The researchers were unable to determine if any particular platform or software (such as open-source software) had any relationship to the life expectancy of a zero-day vulnerability. [23] Although the RAND researchers found that 5.7 percent of a stockpile of secret zero-day vulnerabilities will have been discovered by someone else within a year, [24] another study found a higher overlap rate, as high as 10.8 percent to 21.9 percent per year. [25]

Countermeasures

Because, by definition, there is no patch that can block a zero-day exploit, all systems employing the software or hardware with the vulnerability are at risk. This includes secure systems such as banks and governments that have all patches up to date. [26] Antivirus software is often ineffective against the malware introduced by zero-day exploits. [27] Security systems are designed around known vulnerabilities, and malware inserted by a zero-day exploit could continue to operate undetected for an extended period of time. [17] Although there have been many proposals for a system that is effective at detecting zero-day exploits, this remains an active area of research in 2023. [28]

Many organizations have adopted defense-in-depth tactics so that attacks are likely to require breaching multiple levels of security, which makes it more difficult to achieve. [29] Conventional cybersecurity measures such as training and access control such as multifactor authentication, least-privilege access, and air-gapping makes it harder to compromise systems with a zero-day exploit. [30] Since writing perfectly secure software is impossible, some researchers argue that driving up the cost of exploits is a good strategy to reduce the burden of cyberattacks. [31]

Market

Comparing the average prices of different kinds of exploits, 2015-2022 Comparing the average prices of different kinds of exploits, from 2015 until present.png
Comparing the average prices of different kinds of exploits, 2015–2022

Zero-day exploits can fetch millions of dollars. [4] There are three main types of buyers: [32]

In 2015, the markets for government and crime were estimated at at least ten times larger than the white market. [32] Sellers are often hacker groups that seek out vulnerabilities in widely used software for financial reward. [40] Some will only sell to certain buyers, while others will sell to anyone. [39] White market sellers are more likely to be motivated by non pecuniary rewards such as recognition and intellectual challenge. [41] Selling zero day exploits is legal. [35] [42] Despite calls for more regulation, law professor Mailyn Fidler says there is little chance of an international agreement because key players such as Russia and Israel are not interested. [42]

The sellers and buyers that trade in zero-days tend to be secretive, relying on non-disclosure agreements and classified information laws to keep the exploits secret. If the vulnerability becomes known, it can be patched and its value consequently crashes. [43] Because the market lacks transparency, it can be hard for parties to find a fair price. Sellers might not be paid if the vulnerability was disclosed before it was verified, or if the buyer declined to purchase it but used it anyway. With the proliferation of middlemen, sellers could never know to what use the exploits could be put. [44] Buyers could not guarantee that the exploit was not sold to another party. [45] Both buyers and sellers advertise on the dark web. [46]

Research published in 2022 based on maximum prices paid as quoted by a single exploit broker found a 44 percent annualized inflation rate in exploit pricing. Remote zero-click exploits could fetch the highest price, while those that require local access to the device are much cheaper. [47] Vulnerabilities in widely used software are also more expensive. [48] They estimated that around 400 to 1,500 people sold exploits to that broker and they made around $5,500 to $20,800 annually. [49]

Disclosure and stockpiling

As of 2017, there is an ongoing debate as to whether the United States should disclose the vulnerabilities it is aware of, so that they can be patched, or keep them secret for its own use. [50] Reasons that states keep an vulnerability secret include wanting to use it offensively, or defensively in penetration testing. [10] Disclosing the vulnerability reduces the risk that consumers and all users of the software will be victimized by malware or data breaches. [1]

History

Zero-day exploits increased in significance after services such as Apple, Google, Facebook, and Microsoft encrypted servers and messages, meaning that the only way to access a user's data was to intercept it at the source before it was encrypted. [26] One of the best-known use of zero-day exploits was the Stuxnet worm, which used four zero-day vulnerabilities to damage Iran's nuclear program in 2010. [7] The worm showed what could be achieved by zero-day exploits, unleashing an expansion in the market. [37]

The United States National Security Agency (NSA) increased its search for zero-day vulnerabilities after large tech companies refused to install backdoors into the software, tasking the Tailored Access Operations (TAO) with discovering and purchasing zero-day exploits. [51] In 2007, former NSA employee Charlie Miller publicly revealed for the first time that the United States government was buying zero-day exploits. [52] Some information about the NSA involvement with zero-days was revealed in the documents leaked by NSA contractor Edward Snowden in 2013, but details were lacking. [51] Reporter Nicole Perlroth concluded that "either Snowden’s access as a contractor didn’t take him far enough into the government’s systems for the intel required, or some of the government’s sources and methods for acquiring zero-days were so confidential, or controversial, that the agency never dared put them in writing". [53]

Related Research Articles

<span class="mw-page-title-main">Software</span> Non-tangible executable component of a computer

Software consists of computer programs that instruct the execution of a computer.

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information".

<span class="mw-page-title-main">Malwarebytes (software)</span> Anti-malware software

Malwarebytes is anti-malware software for Microsoft Windows, macOS, ChromeOS, Android, and iOS that finds and removes malware. Made by Malwarebytes Corporation, it was first released in January 2006. This is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash-memory scanner.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Malwarebytes</span> Internet security company

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

A cyberattack occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

The Java software platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow compliance to standards.

The market for zero-day exploits is commercial activity related to the trafficking of software exploits.

NOBUS is a term used by the United States National Security Agency (NSA) to describe a known security vulnerability that it believes the United States (US) alone can exploit.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

PLATINUM is the name given by Microsoft to a cybercrime collective active against governments and related organizations in South and Southeast Asia. They are secretive and not much is known about the members of the group. The group's skill means that its attacks sometimes go without detection for many years.

<span class="mw-page-title-main">KRACK</span> Attack on the Wi-Fi Protected Access protocol

KRACK is a replay attack on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef's research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic.

References

  1. 1 2 Ablon & Bogart 2017, p. 1.
  2. 1 2 Ablon & Bogart 2017, p. 2.
  3. Ablon & Bogart 2017, pp. iii, 2.
  4. 1 2 3 4 5 Sood & Enbody 2014, p. 1.
  5. Perlroth 2021, p. 7.
  6. Strout 2023, p. 23.
  7. 1 2 3 Ablon & Bogart 2017, p. 3.
  8. Sood & Enbody 2014, p. 24.
  9. Bravo & Kitchen 2022, p. 11.
  10. 1 2 Ablon & Bogart 2017, p. xiv.
  11. Sood & Enbody 2014, pp. 2–3, 24.
  12. Sood & Enbody 2014, p. 4.
  13. 1 2 Ablon & Bogart 2017, p. xiii.
  14. Perlroth 2021, p. 142.
  15. Ablon & Bogart 2017, p. xi.
  16. Ablon & Bogart 2017, p. 8.
  17. 1 2 3 4 5 Sood & Enbody 2014, p. 42.
  18. Strout 2023, p. 26.
  19. Libicki, Ablon & Webb 2015, p. 50.
  20. 1 2 Libicki, Ablon & Webb 2015, pp. 49–50.
  21. Strout 2023, p. 28.
  22. Ablon & Bogart 2017, p. x.
  23. Ablon & Bogart 2017, pp. xi–xii.
  24. Ablon & Bogart 2017 , p. x: "For a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been discovered by an outside entity."
  25. Leal, Marcelo M.; Musgrave, Paul (2023). "Backwards from zero: How the U.S. public evaluates the use of zero-day vulnerabilities in cybersecurity". Contemporary Security Policy. 44 (3): 437–461. doi:10.1080/13523260.2023.2216112. ISSN   1352-3260.
  26. 1 2 Perlroth 2021, p. 8.
  27. Sood & Enbody 2014, p. 125.
  28. Ahmad et al. 2023, p. 10733.
  29. Strout 2023, p. 24.
  30. Libicki, Ablon & Webb 2015, p. 104.
  31. Dellago, Simpson & Woods 2022, p. 41.
  32. 1 2 3 Libicki, Ablon & Webb 2015, p. 44.
  33. Dellago, Simpson & Woods 2022, p. 33.
  34. O'Harrow 2013, p. 18.
  35. 1 2 Libicki, Ablon & Webb 2015, p. 45.
  36. Strout 2023, p. 36.
  37. 1 2 Perlroth 2021, p. 145.
  38. Libicki, Ablon & Webb 2015, pp. 44, 46.
  39. 1 2 Libicki, Ablon & Webb 2015, p. 46.
  40. Sood & Enbody 2014, p. 116.
  41. Libicki, Ablon & Webb 2015, pp. 46–47.
  42. 1 2 Gooding, Matthew (19 July 2022). "Zero day vulnerability trade is lucrative but risky". Tech Monitor. Retrieved 4 April 2024.
  43. Perlroth 2021, p. 42.
  44. Perlroth 2021, p. 57.
  45. Perlroth 2021, p. 58.
  46. Sood & Enbody 2014, p. 117.
  47. Dellago, Simpson & Woods 2022, pp. 31, 41.
  48. Libicki, Ablon & Webb 2015, p. 48.
  49. Dellago, Simpson & Woods 2022 , p. 42: "The number of independent active sellers (between 400[31] and 1500[35] individuals) ... 2015,[35] suggests an annual pay of $5.5k - 20.8k per researcher."
  50. Ablon & Bogart 2017, p. iii.
  51. 1 2 Perlroth 2021, p. 9.
  52. Perlroth 2021, pp. 60, 62.
  53. Perlroth 2021, p. 10.

Sources

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.