Zero Day Exploits

Holy Grail Of The Malicious Hacker

Working with laptop
Kay/E+/Getty Images

One of the mantras of information security is to keep your systems patched and updated. As vendors learn about new vulnerabilities in their products, either from 3rd-party researchers or through their own discoveries, they create hotfixes, patches, service packs and security updates to repair the holes.

The Holy Grail for malicious program and virus writers is the “zero day exploit”. A zero day exploit is when the exploit for the vulnerability is created before, or on the same day as the vulnerability is learned about by the vendor.

By creating a virus or worm that takes advantage of a vulnerability the vendor is not yet aware of and for which there is not currently a patch available the attacker can wreak maximum havoc.

Some vulnerabilities are dubbed zero day exploit vulnerabilities by the media, but the question is zero day by whose calendar? Often times the vendor and key technology providers are aware of a vulnerability weeks or even months before an exploit is created or before the vulnerability is disclosed publicly.

A glaring example of this was the SNMP (Simple Network Management Protocol) vulnerability announced in February of 2002. Students at Oulu University in Finland actually discovered the flaws in the summer of 2001 while working on the PROTOS project, a test suite designed to test SNMPv1 (version 1).

SNMP is a simple protocol for devices to talk to each other. It is used for device to device communication and for remote monitoring and configuration of network devices by administrators.

SNMP is present in network hardware (routers, switches, hubs, etc.), printers, copiers, fax machines, high-end computerized medical equipment and in almost every operating system.

After discovering that they could crash or disable devices using their PROTOS test suite, the students at Oulu University discreetly notified the powers that be and the word went out to the vendors.

Everyone sat on that information and kept it secret until it was somehow leaked to the world that the PROTOS test suite itself, which was freely and publicly available, could be used as the exploit code to bring down SNMP devices. Only then did the vendors and the world scramble to create and release patches to address the situation.

The world panicked and it was treated as a zero-day exploit when in fact more than 6 months went by from the time the vulnerability was originally discovered. Similarly, Microsoft finds new holes or is alerted to new holes in their products on a regular basis. Some of them are a matter of interpretation and Microsoft may or may not agree that it is actually a flaw or vulnerability. But, even for many of the ones they agree are vulnerabilities there could be weeks or months that go by before Microsoft releases a security update or service pack that addresses the issue.

One security organization (PivX Solutions) used to maintain a running list of Microsoft Internet Explorer vulnerabilities that Microsoft had been made aware of but hadn’t yet patched. There are other sites on the web frequented by hackers that maintain lists of known vulnerabilities and where hackers and malicious code developers trade information as well.

This is not to say that the zero-day exploit doesn’t exist. Unfortunately it also happens all to often that the first time the vendors or the world are made aware of a hole is when doing a forensic investigation to find out how a system was broken into or when analyzing a virus that is already spreading in the wild to find out how it works.

Whether the vendors knew about the vulnerability a year ago or found out about it this morning, if the exploit code exists when the vulnerability is made public it’s a zero-day exploit on your calendar.

The best thing you can do to protect against zero-day exploits is to follow good security policies in the first place. By installing and keeping your anti-virus software up to date, blocking file attachments to emails which may be harmful and keeping your system patched against the vulnerabilities you are already aware of you can secure your system or network against 99% of what is out there.

One of the best measures for protecting against currently unknown threats is to employ a hardware or software (or both) firewall. You can also enable heuristic scanning (a technology used to attempt to block viruses or worms that are not yet known about) in your anti-virus software. By blocking unnecessary traffic in the first place with a hardware firewall, blocking access to system resources and services with a software firewall or using your anti- virus software to help detect anomalous behavior you can better protect yourself against the dreaded zero-day exploit.