By Dr. Samir Kelekar, Senior Consultant, Indusface



What is Zero-Day Vulnerability?

Google announced a new project for funding vulnerability research, Project Zero. The main aim of the project is to make the web a safer place for users, by focusing more on “zero-day” vulnerabilities and “zero-day” attacks. Chris Evans, Researcher Herder at Google said that the objective of Project Zero is to significantly reduce the number of people harmed by targeted attacks.

Zero-Day Vulnerability refers to a vulnerability that is not known to the security vendors and therefore does not have a patch ready. This means that the vulnerability can be exploited by hackers to access the affected application’s data. The term zero-day is used since the security vendor has known about the vulnerability for zero-days, therefore, it has no fix for it.

When a zero-day vulnerability is exploited by the attacker, the attacks are referred to as a Zero-Day attack or threat.

More on Zero-Day Vulnerabilities

To make things clearer, we will take you in more detail about Zero-Day Vulnerability and how it comes into existence. Weakness or a flaw in a system, which leaves it open to attacks by hackers, is referred to as a vulnerability. Software companies devote a lot of time and money to fix these vulnerabilities timely and before they fall in the eyes of cybercriminals…but coding is very complex, and sometimes a vulnerability can lie in the code without being detected for years. The most recent and common example of this is Heartbleed, a critical vulnerability that allows a malicious user to use a client to get 64K of memory, containing sensitive data, from the server. While Heartbleed existed in the OpenSSL software for about two years back, it was discovered only in April 2014.

Once a vulnerability is found by the security vendor, they release a patch to fix it, as software updates. It’s as simple as that!

But complications arise when the vulnerability is not discovered by the good guys first. Normally, when someone finds a flaw in software that can potentially be exploited, they inform the respective software company so that it can be fixed. Many companies, including Google, offer financial and recognition related incentives in the form of “bug bounty” to such informers.

If the same flaw is discovered by a miscreant, s/he tries to use it for their personal gain and tries to keep the vulnerability hidden for as long as possible, thereby gaining the opportunity to exploit it to the maximum. Let us share an example of this scenario with you. In 2012, a hacker announced that he had discovered an XSS flaw in Yahoo which could be exploited to hijack Yahoo webmail user’s accounts. He announced that he was ready to sell the information about this flaw to a “serious contender” for $700. The reason for this specific request was that Yahoo at that time had been unable to find the vulnerability, and the hacker wanted to keep it this way as long as he could!

How to Protect against Zero-Day Attacks

An attack that occurs due to the exploitation of a zero-day vulnerability is known as a Zero-day attack. Here the exploit happens on the “zeroth” day of a developer’s knowledge of the vulnerability.

Since you do not know about the vulnerability, you cannot protect yourself against it. However, there are certain steps one can follow for early detection or minimize the possibility of a zero-day attack:

Keeping the software updated with the latest software updates and patches is important. Not clicking on unknown attachments and links. Caution needs to be taken even if the content is from known users, as there are more than enough incidences where cybercriminals have assumed the identity of a familiar person and spreading virus or malware. Have a good anti-virus in place to block such attacks. Operate on sites that are secured with Secure Socket Layer (SSL). Many companies are providing support with projects that work on providing information on upcoming attacks. Go for multiple layer protection with Web application firewalls Do free website scanner periodically for malware and vulnerabilities. The best defense is offense, therefore fix any new vulnerability before someone else finds it. Protect the content of individual transmissions with the help of Virtual LANs. Always use a password-protected Wi-Fi. Perform penetration testing on your applications. This will help you in finding the weak points in your security and fixing them before the hackers do.

Given that zero-days may not be preventable even after all the standard precautions taken, one needs to check for the after-effects and possibly catch them. For instance, what would a hacker do after he has breached the security after a zero-day exploit? He would possibly try to download the whole database of users or financial info in case of a website. A Data Loss Prevention product could possibly catch and prevent such downloads. One could also look for anomalies in logs. Some SIEM (security information event management) products have sophisticated log correlation capabilities that look for anomalies in traffic. With computing power and storage being available in plenty, there are companies that use machine learning techniques to look for unusual activities.