Zero-day

What is a Zero-Day Vulnerability?

A software vendor might discover a software security flaw but does not have a patch to fix it. The bug is known as a zero-day vulnerability. Since the developer has just found the flaw, they have zero-days to fix the problem to prevent hackers from exploiting it. Hackers can exploit and turn vulnerabilities into weapons.

In case the software vendor fails to release a patch before cybercriminals manage to exploit the security gap, then a zero-day attack can occur. Once the software vendor announces a security patch, a bug is no longer a zero-day. The security flaw joins a list of other patchable vulnerabilities.

Key Takeaways

  • A zero-day vulnerability is a software security flaw that has been discovered but not patched.
  • A hacker can exploit zero-day vulnerability to cause a zero-day attack
  • Software updates provide necessary patches to neutralize zero-day vulnerabilities
  • A zero-day loses its status once the software vendor announces a security patch
  • Governments discover, purchase, and deploy zero-days for military, intelligence, and law enforcement purposes
  • Use both proactive and reactive security measures to deter zero-day vulnerabilities
  • Vendors can invest in bug bounties to encourage discovery and reporting of zero-days

Controversy Around Zero-Day Flaws

A software vendor has not yet patched a zero-day security flaw. In effect, cyber actors can exploit the vulnerability and turn it not a powerful tool.

Governments discover, purchase, and deploy zero-days for military, intelligence, and law enforcement purposes. However, the practice is controversial since it leaves societies and other countries defenseless against attackers who discover zero-day vulnerabilities.

Zero-Days Command High Prices on the Black Market

Zero-days also command high prices on the black market. Want to make a cool million dollars? Discover the right and powerful iPhone zero-day and sell it in one of the black-market players like Zerodium that claims to offer the highest bounties on the market.

The black-market allows researchers and hackers to sell zero-day security flaws to anyone, including nation-states like Iran and North-Korea, drug cartels, and organized crime. 

Recent Example of a Zero-Day Vulnerability

The popular Zoom videoconferencing software experienced an offensive zero-day that allowed any website to forcibly join a user to a Zoom call with a video camera activated even without the user’s permission. The vulnerability allowed any webpage to DoS (denial of service) a Mac by repeatedly joining users to invalid Zoom calls.

Zoom zero-day enabled an attacker to turn on victims’ cameras and microphones, giving the criminal access to the target’s physical world, not just the data in a device.

The nasty zero-day caught Zoom unaware. The vendor dragged their feet fixing the security flaw, forcing the researcher to drop 0day (publish details of the zero-day vulnerability to coerce a sluggish vendor to close the security gap).

Regulating Zero-Days

Regulating the black or grey market to control zero-day exploits trade remains a struggle that countries have failed to deal with to date. For years, activists and governments alike have been lobbying for reliable controls on spyware and research that fuels it.

However, security researchers warn that export controls on vulnerability research would mean regulating the flow of information, and the security world does not support the measures.

The U.S. uses the Vulnerabilities Equities Process (VEP) to evaluate zero-day for disclosure. However, VEP has received criticism as ineffective since researchers believe that the government has the freedom to report some flaws to a vendor while hoarding other zero-days for offensive purposes.

The Wassenaar Agreement laid out in 2013 covered exports rules on technology and provided broad guidelines for how countries should license software and technology crossing international borders.

The response from the security world is blistering. Security researchers and experts see Wassenaar rules as a cure that is worse than the disease.

How to Prevent Zero-Day Vulnerabilities

You can take proactive and reactive security measures to keep your computers and information safe from zero-day vulnerabilities.

Use comprehensive security products to protect your devices from known and unknown threats.

Install software updates when they become available from vendors to reduce the risk of malware infections. Software updates feature necessary revisions to software applications or operating systems. Patching systems adds new features, removes outdated components, updates drivers, fixes bugs, and seals discovered security holes.

Checklist for prevented zero-day vulnerability risks:

  • Update software and security tools by downloading the latest software versions and updates
  • Establish and follow safe and effective personal online security habits
  • Configure security settings for operating systems, internet browser, and security products
  • Implement proactive and comprehensive security solutions to detect and block known and unknown threats
  • Vendors can invest in bug bounties to encourage discovery and reporting of zero-days