Zero-day (computing)
A zero-day (also known as zero-hour or 0-day or day zero) vulnerability is an undisclosed computer-software vulnerability that hackers can exploit to adversely affect computer programs, data, additional computers or a network.[1] It is known as a "zero-day" because it is not publicly reported or announced before becoming active, leaving the software's author with zero days in which to create patches or advise workarounds to mitigate its actions.[2]
Attacks employing zero-day exploits are often attempted by hackers before or on the day that notice of the vulnerability is released to the public; sometimes before the author is aware or has developed and made available the corrected code.[3] Zero-day attacks are a severe threat.[4]
Attack vectors
Malware writers can exploit zero-day vulnerabilities through several different attack vectors. Sometimes, when users visit rogue websites, malicious code on the site can exploit vulnerabilities in Web browsers. Web browsers are a particular target for criminals because of their widespread distribution and usage. Cybercriminals can also send malicious e-mail attachments via SMTP, which exploit vulnerabilities in the application opening the attachment.[5] Exploits that take advantage of common file types are numerous and frequent, as evidenced by their increasing appearances in databases like US-CERT. Criminals can engineer malware to take advantage of these file type exploits to compromise attacked systems or steal confidential data.[6]
Window of vulnerability
The time from when a software exploit first becomes active to the time when the number of vulnerable systems shrinks to insignificance, is known as the Window of Vulnerability (WoV).[7] The time-line for each software vulnerability is defined by the following main events:
- t0: The vulnerability is discovered.
- t1a: A security patch is published (e.g., by the software vendor).
- t1b: An exploit becomes active.
- t3: Most vulnerable systems have applied the patch.
For normal vulnerabilities we have that t1b - t1a > 0. This implies that the software vendor was aware of vulnerability (at time t ≥ t0) and had time to publish a security patch (t1a) before any hacker could craft a workable exploit (t1b). For zero-day exploits, we have that t1b - t1a ≤ 0 so that the exploit became active before a patch was made available.
By not disclosing known vulnerabilities, a software vendor hopes to reach t3 before t1b is reached, thus avoiding any exploits. However, the vendor has no guarantees that hackers will not find vulnerabilities on their own. Furthermore, security patches can be analysed to reveal the underlying vulnerabilities and automatically generate working exploits,[8] thus we will always have t0 <= t1a and to <= t1b.
In practice, the size of the WoV varies between systems, vendors, and individual vulnerabilities. It is often measured in days, with one report from 2006 estimating it to 28 days.[9]
Protection
Zero-day protection is the ability to provide protection against zero-day exploits. Since zero-day attacks are generally unknown to the public, it is often difficult to defend against them. Zero-day attacks are often effective against "secure" networks and can remain undetected even after they are launched. Thus, users of so-called secure systems must also exercise common sense and practice safe computing habits.[10]
Many techniques exist to limit the effectiveness of zero-day memory corruption vulnerabilities such as buffer overflows. These protection mechanisms exist in contemporary operating systems such as OS X, Windows Vista (see also: Security and safety features new to Windows Vista), Solaris, Linux, Unix, and Unix-like environments; Windows XP Service Pack 2 includes limited protection against generic memory corruption vulnerabilities[11] and previous versions include even less. Desktop and server protection software also exists to mitigate zero-day buffer overflow vulnerabilities. Typically these technologies involve heuristic termination analysis—stopping them before they cause any harm.[12]
It has been suggested that a solution of this kind may be out of reach because it is algorithmically impossible in the general case to analyze any arbitrary code to determine if it is malicious, as such an analysis reduces to the halting problem over a linear bounded automaton, which is unsolvable. It is, however, unnecessary to address the general case (that is, to sort all programs into the categories of malicious or non-malicious) under most circumstances in order to eliminate a wide range of malicious behaviors. It suffices to recognize the safety of a limited set of programs (e.g., those that can access or modify only a given subset of machine resources) while rejecting both some safe and all unsafe programs. This does require the integrity of those safe programs to be maintained which may prove difficult in the face of a kernel level exploit. Symantec's SONAR technology attempts to identify non-malware software by using an algorithm that detects traits of known-good software. Any newly installed program that does not meet the algorithm's criteria is flagged as potential malware.[13]
The Zeroday Emergency Response Team (ZERT) was a group of software engineers who worked to release non-vendor patches for zero-day exploits.
Worms
Zero day worms take advantage of a surprise attack while they are unknown to computer security professionals. Recent history shows an increasing rate of worm propagation. Well designed worms can spread within minutes (some say even seconds) with devastating consequences to Internet and otherwise.
Ethics
Differing ideologies exist relative to the collection and use of zero-day vulnerability information. Many computer security vendors perform research on zero-day vulnerabilities in order to better understand the nature of vulnerabilities and their exploitation by individuals, computer worms and viruses. Alternatively, some vendors purchase vulnerabilities to augment their research capacity. An example of such a program is TippingPoint's Zero Day Initiative. While selling and buying these vulnerabilities is not technically illegal in most parts of the world there is a lot of controversy over the method of disclosure. A 2006 German decision to include Article 6 of the Convention on Cybercrime and the EU Framework Decision on Attacks against Information Systems may make selling or even manufacturing vulnerabilities illegal.
Most formal programs follow some form of Rain Forest Puppy's disclosure guidelines or the more recent OIS Guidelines for Security Vulnerability Reporting and Response. In general these rules forbid the public disclosure of vulnerabilities without notification to the vendor and adequate time to produce a patch.
Viruses
A zero-day virus (also known as zero-day malware or next-generation malware) is a previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available.[14]
Traditionally, antivirus software relies upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained, signatures generated and updates distributed to users. Because of this, signature-based approaches are not effective against zero-day viruses.
Most modern antivirus software still use signatures, but also carry out other types of analysis.
Code analysis
In code analysis, the machine code of the file is analysed to see if there is anything that looks suspicious. Typically, malware has characteristic behaviour and code analysis attempts to detect if this is present in the code.
Although useful, code analysis has significant limitations. It is not always easy to determine what a section of code is intended to do; particularly if it is very complex and has been deliberately written with the intention of defeating analysis. Another limitation of code analysis is the time and resources available. In the competitive world of antivirus software, there is always a balance between the effectiveness of analysis and the time delay involved.
Emulation
One approach to overcome the limitations of code analysis is for the antivirus software to run suspect sections of code in a safe sandbox and observe their behaviour. This can be orders of magnitude faster than analysing the same code.
Generic signatures
Generic signatures are signatures that are specific to certain behaviour rather than a specific item of malware. Most new malware is not totally novel, but is a variation on earlier malware, or contains code from one or more earlier examples of malware. Thus the results of previous analysis can be used against new malware.
Competitiveness in the antivirus software industry
It is generally accepted in the antivirus industry that the signature-based protection of most vendors is identically effective. If a signature is available for an item of malware, then every product (unless dysfunctional) should detect it. However, some vendors are significantly faster than others at becoming aware of new viruses and/or updating their customers signature databases to detect them.
There is a wide range of effectiveness in terms of zero-day virus protection. The German computer magazine c't found that detection rates for zero-day viruses varied from 20% to 68%.[15] It is primarily in the area of zero-day virus performance that manufacturers now compete.
See also
- Access control
- Heuristic analysis
- Market for zero-day exploits
- Network Access Control
- Network Access Protection
- Network Admission Control
- Software-defined protection
- Targeted attacks
References
- ↑ Compare: "What is a Zero-Day Vulnerability?". pctools. Symantec. Retrieved 2016-01-20.
A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by crackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.
- ↑ Flash Vulnerabilities Causing Problems
- ↑ About Zero Day Exploits
- ↑ THE MAN WHO FOUND STUXNET – SERGEY ULASEN IN THE SPOTLIGHT published on November 2, 2011
- ↑ SANS sees upsurge in zero-day Web-based attacks, Computerworld Archived December 22, 2008, at the Wayback Machine.
- ↑ "E-mail Residual Risk Assessment" Avinti, Inc., p. 2 http://www.avinti.com/download/case_studies/whitepaper_email_residual_risk.pdf[]
- ↑ Johansen, Håvard; Johansen, Dag; Renesse, Robbert van (2007-05-14). Venter, Hein; Eloff, Mariki; Labuschagne, Les; Eloff, Jan; Solms, Rossouw von, eds. New Approaches for Security, Privacy and Trust in Complex Environments. IFIP International Federation for Information Processing. Springer US. pp. 373–384. doi:10.1007/978-0-387-72367-9_32. ISBN 9780387723662.
- ↑ Halvar, Flake, (2016-10-25). "Structural Comparison of Executable Objects". doi:10.17877/de290r-2007.
- ↑ "Internet Security Threat Report" Symantec Corp, Vol. X, Sept. 2006, p. 12
- ↑ What is a Zero-Day Exploit?
- ↑ Changes to Functionality in Microsoft Windows XP Service Pack 2
- ↑ "Mitigating XML Injection 0-Day Attacks through Strategy-Based Detection Systems" (PDF). Retrieved 29 December 2013.
- ↑ Symantec unveils SONAR to find zero-day attacks Archived April 2, 2009, at the Wayback Machine.
- ↑ "Cyberhawk - zero day threat detection review". Kickstartnews. Retrieved 29 December 2013.
- ↑ Goodin, Dan (21 December 2008). "Anti-virus protection gets worse". The Channel. Retrieved 29 December 2013.
- Messmer, Ellen, Is Desktop Antivirus Dead?, PC World, April 6, 2007.
- Naraine, Ryan, Anti-Virus Is Dead, D-E-A-D, Dead!, eWeek, December 1, 2006.
External links
- Zero Day Tracker
- US-CERT vulnerability database
- Examples of zero-day attacks:
- Attackers seize on new zero-day in Word from InfoWorld
- PowerPoint Zero-Day Attack May Be Case of Corporate Espionage from FoxNews
- Microsoft Issues Word Zero-Day Attack Alert from eWeek