What is a Zero Day
Within cybersecurity, we often hear the term of “zero-day” or “zero day threat”, but what is a zero day and what does the term 0-day actually mean? The term is used frequently without definition or clarification, and there are some various interpretations that are around the Internet, some of which are wrong.
The history of threats
Like most terms and phrases, the origins of zero day are from many years ago, and the origins can bring a deeper understanding of the term. In the early days of the Internet, not all consumers were permanently connected to the Internet, and dial-up Internet access was prevalent. The average Internet user was still the target of attacks, but there was more time that they would be disconnected. When vulnerabilities were discovered, there would be prolonged times before they were patched or updated, and even longer before users applied the updates.
Fixing vulnerabilities
When software is written, it can contain millions of line of code, and the team of developers may make mistakes. It is not just mistakes in creating the code, it is often just overlooking ‘unexpected’ ways that people can mess with the software. For many years, the most common error was a “buffer overflow“, where if too much data was sent, it could over-flow into other parts of the system. Attackers can use these unchecked buffers to make their own active code deliberately flow into areas that are not intended. Other types of attacks can include running operations out of their intended order, or accessing interfaces that are not ready, or directly accessing data from deep in the system without going through proper authentication checks.
As these vulnerabilities and errors are not planned or intended by the developer, they would not know about the issue until someone notifies them, and the developer then works on a fix. Depending upon the complexity of the problem, this could take several days, weeks or months. It may even require a complete re-architecture of the software to remove the vulnerability. The developer / software publisher would then release a hotfix, a patch or an update. Users of the software would be able to download the update and install it, or in some cases the fix would be released on a CD or even floppy disk.
Announce a vulnerability, or exploit it?
When a vulnerability is discovered, it is often done by hackers who are explicitly looking. If the hacker is a “white hat”, then they would reveal the details of what they have found to the software vendor. If the hacker was probing and exploring in order to find a way to crash or damage the site or software, they may exploit the issue or sell the knowledge about the problem to other hackers. These “black hat” hackers would not inform the software vendor, because they then have the opportunity to gain from what they have found. This could be to gain financially, inject malware or viruses, steal data, enact revenge, or just cause damage.
What is zero days
In the earlier days of the Internet and anti-virus vendors, there was a concern about the time it would take to release a fix for problems that were known about. At one stage, it was taking many days and months where there was a known vulnerability and the patch was being created by the software vendor. In this time, hackers would be able to develop an exploit – this could be released to script kiddies or the hacking community. This window between an known (and announced) vulnerability and an exploit was getting shorter.
Anti-virus vendors and security companies would rush to provide interim patches for vulnerable systems – not fixing the source software, but instead making the exploit methods difficult. The window was getting smaller – 30 days between a vulnerability and an update, then 20, and then just 5 days. There was concern, what would happen when there were zero days? If there was a known problem, and hackers could make use of it immediately – how would this impact the Internet?
Zero Day exploits
In today’s environment, there are more zero days than ever. Where in the past there was a fear that there would be a single vulnerability that had an exploit in less than 5 days, now it is more commonplace. Vulnerabilities have exploits before anyone knows that the vulnerability exists. Hackers are now faster at exploiting vulnerabilities, and sometimes are able to conduct malicious activities immediately upon finding a gap in the armour. And the real weak spot is that users are getting so complacent about constant updates and patches, that systems can remain un-patched long after there are known fixes.
White Hat announcements
In early days of searching for vulnerabilities, there were published libraries of known issues (such as on Microsoft’s MSRC patch site), where the White Hat hacker would get kudos and reputation for finding the vulnerability, sometimes being paid a bounty or award, and the White Hat would publish the details of the vulnerability to show off their knowledge of the issue. Very soon, this was identified as a problem. With the details of the vulnerability and how it could be executed, malicious actors would be able to use these sources to develop and test their exploits. Also there were “Grey Hat” hackers who would seek out bounties for finding vulnerabilities, or seek to increase their own reputation instead of helping the community.
What does Zero Day mean?
The term zero day means that there is a known vulnerability or gap in the security or stability of a software product or service, and that hackers know of a way to execute an exploit that can steal data, damage the stability of the system, or inject viruses. These are the most pernicious of threats to system security and the most dangerous are ones that no-one (other than attackers) knows about. As soon as the software vendor has a known fix or mitigation, and releases it for users to install, then it is no longer a zero day threat, it is simply a patched vulnerability.