What are zero-day vulnerabilities?
What happens when hackers find vulnerabilities before developers?
Even if you aren't up to date on the latest cybersecurity happenings, you're aware that there are plenty of threats lurking on the internet. Whether it's scam emails, hackers stealing your personal info from websites, or malware spying on your computer, there's a lot to be on the lookout for. The good news is that these threats are relatively easy to spot and counter.
That's not so true for zero-day vulnerabilities. They're a class of hacking attacks that are completely unknown at the point they're deployed. You probably won't run into one while you're browsing the internet, but they're one of the biggest threats that companies face online.
Stick with me and I'll explain what zero-day vulnerabilities are, how they occur, and why it's nearly impossible to stamp them out.
What are zero-day vulnerabilities?
A zero-day vulnerability is a flaw in how a software or hardware system has been built that the developers aren't aware of. By definition, it's impossible to know how many zero-day vulnerabilities there are in a system.
These vulnerabilities can be used by a malicious actor to cause the system to do something unintentional. Perhaps it allows a hacker to grind a network service to a halt, making it unusable for anyone else. Maybe there's a flaw in how the authentication works that allows a hacker to get into a company's data stores without the correct password.
It could be absolutely anything, but the one thing all zero-day vulnerabilities have in common is that they're new. The term "Zero-day" itself refers to the amount of time the developer has had to respond to and fix the vulnerability.
If you were to think of network security as trying to secure a house, the zero-day vulnerability is like a window you don't know can be opened from the outside.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
You assume it's protected against a burglar but, eventually, someone comes along and discovers that all you have to do is pull it up and they're in. All that's protecting you is the shared assumption that your defense works, but under scrutiny it turns out there's a fatal flaw.
There are a few other terms that experts use when they're discussing zero-days. The actual code that a hacker uses to take advantage of the vulnerability is called a zero-day exploit.
If several different hacker groups have discovered a zero-day vulnerability before it's been exposed to the public, there may actually be a number of zero-day exploits targeting the same vulnerability.
The other term you should be aware of is zero-day attack, which is when the exploit is used in the real world to break into a system or shut it down.
Often, a zero-day attack is when security researchers first become aware that a zero-day even exists, but if the hackers are sufficiently sneaky enough they may be able to get away with carrying out several zero-day attacks before their exploits become public knowledge.
How do zero-day vulnerabilities work?
There isn’t really a uniform type of zero-day vulnerability. Each one comes from an unintended consequence of how a piece of technology is built. So, when coding software or building hardware, developers are always on the lookout for insecure designs that they can fix before they become a vulnerability.
However, hackers are constantly on the lookout for vulnerabilities too.
A zero-day is part of a hacker's arsenal that allows them to compromise servers and steal data, but they're also very valuable in hacker circles for that exact reason. Therefore, not all hackers go looking for zero-days to use them. Instead, they'll trade them for money or other services in return for zero-days.
The reason they're treated like commodities is because they're somewhat perishable.
Zero-day vulnerabilities can lurk undetected inside software from the moment it's made available to the public or can be introduced during a patch. They can go undetected for years at a time, but once a hacker uses an exploit based on that vulnerability it's only a matter of time until the wider security community figures out that the vulnerability is present.
If your device has been acting odd, or if you have suspicions that you might've been infected, check out our round-up of 6 signs that you have malware.
Of course, a vulnerability on its own isn't a whole attack chain. Once the vulnerability is discovered, a hacker still needs to figure out how to take advantage of it to develop an exploit.
Often, a zero-day will be the missing link that allows a hacker to take advantage of several known attack methods to gain a foothold inside a protected network. Ultimately, the goal is to use it to install malware or create a persistent presence inside a system they wouldn’t have been able to get into otherwise.
When an exploit does become public knowledge, most developers act quickly to build a patch that fixes the issue and inform their users of the need to update, but there's still usually a window where savvy hackers can reverse engineer a vulnerability and deploy their own exploit against systems that haven't been updated yet.
In most cases, this window is pretty small, but there are still plenty of machines out there that don't receive regular vital security patches.
Part of the problem here is how the economics pan out. A bad actor is heavily incentivized to go sniffing around for vulnerabilities in popular code, whereas developers are often juggling security against other development needs.
Why are zero-day vulnerabilities so dangerous?
Zero-days are dangerous because it's hard to protect against them. They completely subvert the security model you've built because one of your assumptions is now flawed.
Until the zero-day has been disclosed, hackers can sit on it and wait for the perfect time to slip into a company's servers and begin stealing their data. If security researchers can catch them in action and build a patch before the vulnerability goes public, that significantly mitigates the damage a zero-day can do.
However, if the vulnerability becomes common knowledge, there's now significant pressure to build patches and distribute them while hackers have a field day with what could potentially be devastating capabilities.
It's also much harder to catch zero-days, as most businesses rely on a complex range of technologies to manage their networks. The proliferation of technology generally makes for a large attack surface, meaning that hackers have more choice than ever to test for weak spots in a company's defenses. Your firewalls and cloud storage services might be bulletproof, but are your IoT devices?
This is also why zero-days are worth so much. Companies spend extraordinary amounts of money protecting their customer data, so anything a hacker can use to navigate those defenses is worth a lot of money. Your everyday hacker will just want to use these vulnerabilities to make money, either by breaking into systems or selling them on to other hackers.
However, some serious cyber-criminals will use zero-days to carry out long-term surveillance on companies and state infrastructure. Even nation-state threat actors will trade for vulnerabilities on the dark web and through front companies to bolster the power of their intelligence teams. As a result, most high-end service providers now offer bug bounties for finding zero–day vulnerabilities in their software.
What can you do about zero-day vulnerabilities?
Here are the best ways to deal with zero-day vulnerabilities:
- Patch your devices: While it's difficult to defend against zero-days before they're disclosed, most software vendors will work to send out patches as quickly as they possibly can once the zero-day is out in the wild. Keeping your devices up to date is one of the easiest ways to keep hackers from breaking into your systems using outdated exploits.
- Uninstall unused applications: Auditing a litany of network-enabled services for exploits can be a headache, especially if you're not using a software manager that updates them for you. You should regularly look through which network applications you're using and uninstall any that aren't being used anymore. Still running hosting a game server from your machine that you don't play anymore? Turn it off. Keeping a web server up for a site that’s no longer maintained? Same deal. You get the idea.
- Use an anti-virus tool: The best antivirus tools use heuristics that look for suspicious behavior instead of just matching on malware they've previously seen. This way, even if a zero-day exploit jumps past some part of your network defense, a good anti-virus can detect malware on your system and alert you before any real damage can occur.
Sam Dawson is a cybersecurity expert who has over four years of experience reviewing security-related software products. He focuses his writing on VPNs and security, previously writing for ProPrivacy before freelancing for Future PLC's brands, including TechRadar. Between running a penetration testing company and finishing a PhD focusing on speculative execution attacks at the University of Kent, he still somehow finds the time to keep an eye on how technology is impacting current affairs.