A 'zero-day' (or 'zero-hour') 'attack' is a computer threat that exposes undisclosed or unpatched
computer application vulnerabilities. Zero-day attacks take advantage of computer security holes for which no solution is currently available.
0-day
exploits are released before, or on the same day the
vulnerability — and, sometimes, the vendor patch — are released to the public. The term derives from the number of days between the public advisory and the release of the exploit.
[1] The name itself is an indication of the vendor patch being available, i.e. the vulnerability affected unpatched systems for zero days.
The terms can also be used to describe
warez-group releases of pirated software on or before the release of the software.
Attack vectors
Malware writers are able to exploit zero-day vulnerabilities through several different attack vectors. For example, when users visit rogue (or
black hat) Web sites, malicious code on the site exploits vulnerabilities in Web browsers. Web browsers are a particular target for criminals because of their widespread distribution and usage. Cybercriminals can also send malicious e-mail attachments via
SMTP, which exploit vulnerabilities in the application opening the attachment.
[2] Exploits that take advantage of common file types are numerous and frequent, as evidenced by their increasing appearances in databases like
US-CERT. Criminals can engineer malware to take advantage of these file type exploits to compromise attacked systems or steal confidential data.
[3]
Vulnerability window
Zero-day attacks occur when a
vulnerability window exists between the time a threat is released and the time security vendors release patches.
For viruses, Trojans and other zero-day attacks, the vulnerability window follows this timeline:-
★ Release of new threat/exploit into the wild
★ Detection and study of new exploit
★ Development of new solution
★ Release of patch or updated signature pattern to catch the exploit
★ Distribution and installation of patch on user's systems or updating of virus databases
This process can often last hours, during which networks experience the so-called 'vulnerabilty window'. One report estimates the 2006 vulnerability window at 28 days.
[4]
Protection
'0-day protection' is the ability to provide protection against 0-day exploits. 0-day attacks are generally unknown to the public therefore it is difficult to defend against them. Such attacks are often effective against "secure" networks. 0-day attacks also can remain undetected after they are launched.
[5]
Many techniques exist to limit the effectiveness of 0-day memory corruption vulnerabilities, such as
buffer overflows. These protection mechanisms exist in contemporary operating systems such as
Apple's Mac OS X,
Microsoft Windows Vista [1],
Sun Microsystems Solaris,
Linux,
Unix, and Unix-like environments;
Microsoft Windows XP Service Pack 2 includes limited protection against generic memory corruption vulnerabilities
[6] and previous versions include even less. Desktop and server protection software also exists to mitigate 0-day buffer overflow vulnerabilities. Typically these technologies involve
heuristic termination analysis -- stopping the attack before it can cause any harm.
Someone somewhere suggested that a solution of this kind may be out of reach because it is algorithmically impossible in the general case to analyze any arbitrary code to determine if it is malicious, as such an analysis reduces to the
halting problem over a
linear bounded automaton, which is unsolvable. Presumably the same person has suggested that it is unnecessary to address the general case (that is, to sort all programs into the categories of malicious or non-malicious) in order to eliminate a wide range of malicious behaviors. Again the same person believes that one must only recognize the safety of a limited set of programs (e.g., those that can access or modify only a given subset of machine resources) while rejecting both some safe and all unsafe programs in order to secure a system. Such an approach requires that the integrity of those safe programs be maintained, which someone believes would prove difficult in the face of a kernel level exploit.
Symantec's SONAR technology attempts to identify non-malware software by using an algorithm that detects traits of known-good software. In the SONAR system, any newly-installed program that does not meet the algorithm's criteria is flagged as potential malware.
[7]
The Zeroday Emergency Response Team, or ZERT
[8] is a group of software engineers who work to release non-vendor patches for 0-day exploits.
Worms
Zero day worms take advantage of a vulnerability by launching a surprise attack while the vulnerability remains unknown to
computer security professionals. Well designed worms can spread within minutes with devastating consequences to
Internet and otherwise.
Ethics
Differing ideologies exist around the collection and use of 0-day vulnerability information. Many computer security vendors perform research on 0-day vulnerabilities in order to better understand the nature of vulnerabilities and their exploitation by individuals, computer worms and viruses. Alternatively, some vendors purchase vulnerabilities to augment their research capacity. An example of such a program is
TippingPoint's Zero Day Initiative. While selling and buying these vulnerabilities is not technically illegal in most parts of the world there is a lot of controversy over the method of disclosure. A recent German decision to include Article 6 of the
Convention on Cybercrime and the EU Framework Decision on Attacks against Information Systems may make selling or even manufacturing vulnerabilities illegal.
Most formal programs follow some form of Rain Forest Puppy's disclosure guidelines or the more recent
OIS Guidelines for Security Vulnerability Reporting and Response. In general these rules forbid the public disclosure of vulnerabilities without notification to the vendor and adequate time to produce a patch.
Pirated software
'Zero day warez' refers to software, videos, music, or information unlawfully released or obtained on the day of public release. Items obtained pre-release are sometimes labeled ''Negative day'' or ''-day''. 0-day software, games, videos and music refers to the content that has been either illegally obtained or
illegally copied on the day of the official release. These are usually works of a hacker or an employee of the releasing company.
See also
★
Access Control
★
Network Access Protection
★
Network Access Control
★
Network Admission Control
★
Targeted attacks
References
★ Messmer, Ellen,
''Is Desktop Antivirus Dead?'', ''PC World'', April 6, 2007.
★ Naraine, Ryan,
''Anti-Virus Is Dead, D-E-A-D, Dead!'', ''eWeek'', December 1, 2006.
External links
★
Zero Day Tracker
★
Worm Blog
★
US-CERT vulnerability database
★ Examples of zero-day attacks:
★
★
Attackers seize on new zero-day in Word from InfoWorld
★
★
PowerPoint Zero-Day Attack May Be Case of Corporate Espionage from FoxNews
★
★
Microsoft Issues Word Zero-Day Attack Alert from eWeek
Footnotes
1. About Zero Day Exploits
2. ''SANS sees upsurge in zero-day Web-based attacks'', ''Computerworld''
3. "E-mail Residual Risk Assessment" Avinti, Inc., p. 2 http://www.avinti.com/download/case_studies/whitepaper_email_residual_risk.pdf
4. "Internet Security Threat Report" Symantec Corp, Vol. X, Sept. 2006, p. 12
5. What is a Zero-Day Exploit?
6. Changes to Functionality in Microsoft Windows XP Service Pack 2
7. Symantec unveils SONAR to find zero-day attacks
8. Zeroday Emergency Response Team
العربية
中国
Français
Deutsch
Ελληνική
हिन्दी
Italiano
日本語
Português
Русский
Español
