A flaw in a software, unknown to the developer and which is exploited as soon as it is generally known to public is called as the Zero-Day vulnerability or exploit. The name ‘Zero-Day’ is given because the developer has to work on the vulnerability faster and does not have even a single day to release a fix.
Life-cycle of a Zero-Day exploit
- Developer creates a software
- A weakness in the software that is unknown to the developer is found by hackers
- Hackers start exploiting this flaw before this vulnerability is known to the public or developer
- The developer and/or public becomes aware of this vulnerability and developers start working on it to release a fix
- Developers release an update patch (a fix)
- Users need to update their software to secure their devices
Exploitability windows is considered as the time when the vulnerability is known to the hacker till a fix is released by the developer. The length of this may vary depending on multiple factors. Sometimes hackers do not publish the vulnerability information publicly. As opposed to this, developers might be unware that a vulnerability is being exploited and release a security patch. Many times users simply stop using the software because of the vulnerability keeping the exploitability window open for long time.
Symantec published an Internet Security Threat Report this month stating year 2014 as the year of zero-day exploits. They also stated that the number of zero-day attacks and exploitability windows have increased significantly in the year 2014 as compared to 2013. Information about vulnerabilities is getting sold faster on Darknet and developers are taking longer to release fixes.
How to protect our systems from zero-day attacks?
- Update operating system and software apps regularly
- Refrain from using an outdated software or the one for which support is no longer available e.g. Windows XP
- Careful when clicking on links or opening email attachments with images or PDF files.
- Use of Secure Socket Layer (SSL) – SSL secures the information being passed between the user and the visited site.
Examples: Zero-Day Exploits and Vulnerabilities
- Internet Explorer Watering Hole Exploit
- Internet Explorer 9 through 11 Exploit