The term zero day, once used exclusively among security professionals, is quickly becoming part of the public dialect. It refers to either a vulnerability or exploit never before seen in public. A zero-day vulnerability is a flaw in a piece of software that the vendor is unaware of and thus has not issued patch or advisory for. The code written to take advantage of this flaw is called the zero-day exploit. When writing software, vendors often focus on providing usability and getting the most functional product out to the market as quickly as possible. This often results in products that require numerous updates as more users interact with the software. Ideally, the number of vulnerabilities decreases as time progresses, as adoption increases, and as patches are issued. However, this doesn’t mean that you should let your guard down because of some sense of increased security. Rather, you should be more vigilant; an environment that has complete adoption of software means that it’s defenseless should a zero-day exploit be used against it.
Zero-day exploits were once extremely rare, but the security community has observed a significant uptick in their usage and discovery. As security companies improve their software, malware writers have worked to evolve their products to evade these systems, creating a malware arms race of sorts. Modern zero-day vulnerabilities are extremely valuable, and as with anything else of perceived value, markets have formed. Black markets for zero-day exploits exist with ample participation from criminal groups. On the opposite end of the spectrum, vendors have used bug bounty programs to supplement internal vulnerability discovery, inviting researchers and hackers to actively probe their software for bugs in exchange for money and prizes. Even the Pentagon, a traditionally bureaucratic and risk-averse organization, saw the value in crowdsourcing security in this way. In March of 2016, it launched the “Hack the Pentagon” challenge, a pilot program designed to identify security vulnerabilities on public-facing Defense Department sites.
Published on Sat 02 December 2017 by Ralph Holdsworth in Security with tag(s): attacks zero day