In the Information Security field, we have an event that we refer to as a "Zero Day". Most of the time when we talk about a zero day, we are talking about a zero day exploit. But occasionally, the term can be used to discuss a zero day vulnerability or flaw. If you are interested enough to follow me down this rabbit hole, I can help you understand all of this jargon and what it means to you and your business.
| |
StarReviews Top 3
Internet Security Software |
|
 |
|
|
|
|
|
|
 |
In order to understand the
zero day, we must first understand the difference between a vulnerability and an exploit. A vulnerability is a programming flaw that has the potential to be exploited in a way that jeopardizes the confidentiality, integrity, or availability of our information. In short, a vulnerability is a bug that impacts security. How does that differ from an exploit?
An exploit is a piece of code that takes advantage of (or exploits) the weaknesses made evident because of a vulnerability. Or, more simply, an exploit is a computer program that uses a vulnerability in another computer program to make it do something it was not designed to do. The proper application of an exploit to a
vulnerable computer system, in the worst cases, leads to an unauthorized person (e.g.
malicious hacker or
script kiddy) gaining administrative access to your computer, across the Internet.
Now that we know what an exploit is, and how they take advantage of vulnerabilities, we can move farther down this rabbit hole. While none of this is pleasant, in the best cases, a
software vendor finds their own bug (vulnerability) and fixes it before anyone even knows there was a problem.
The software vendor then releases a "patch" which updates the programming code of the application, in effect swapping out the code that had the security flaw in it with code that is vulnerable to attack. In these best case scenarios, an end user or business running this
vendor’s software must apply the patch released in order to remedy the vulnerability. The sad part of this version of the story is that millions of people do not update their software in any systematic fashion - and therefore stay vulnerable.
In another instance, an Information Security firm or freelancer (researcher) that specializes in finding vulnerabilities reviews a vendors product and finds a vulnerability. This case can go pretty much like the one above, if the firm or freelancer follows the ethics most often used in the
Information Security Industry. These ethics state that when such a vulnerability is found, that the knowledge of the vulnerability is given (first) only to the vendor responsible for fixing the flaw. The researcher is supposed to give the vendor time to fix the problem before telling the world. When things go as planned, the vendor releases a patch, and the researcher releases their information to the public - and everyone is happy. However, if the researcher does not give the vendor any time to fix the flaw - and releases the information to the public without any notice to the vendor - we have a zero-day vulnerability. At this point the race is on between the vendor to fix the flaw and malicious hackers to come up with an exploit.
The last case is the most common when we are talking about
zero day events. In this scenario, the "researcher" is the
malicious hacker. He finds the flaw and tells no one about it. He develops, tests, and deploys an
exploit in the underground. The public at large finds out about it when "things start happening" on their systems. In effect the public learns about the issue through cyber-casualties. The vendor and the Information Security Industry must capture a copy of the
exploit code, and then reverse engineer (disassemble it and examine it in detail) the
exploit in order to understand how it works. Thereby, the security teams can try to find the vulnerability through examining the exploit. Once that is done, the vendor can try to patch their
vulnerable code.
In the past few months there have been several
zero day events. Adobe is fighting to fix flaws discovered after the release of a
zero day exploit impacting even PDF files, likewise Microsoft is fighting to fix problems that impact their Microsoft Office Web Components which they describe as potentially creating a "browse and get owned" scenario, and the Mozilla team is in the cyber-trenches as I write this, trying to fix issues with Firefox.
What should I do? Watch for patches, apply patches, and keep you internet security software up to date!