A zero-day vulnerability is a computer security vulnerability unknown to the software developer or vendor. It is called a "zero-day" because it is discovered on the same day an attacker exploits it. This means that the vulnerability had existed for “zero days”, meaning that it was not found before it was controlled. Because the exposure is unknown, the software developer or vendor had not had the opportunity to fix it before it was used.
Zero-day vulnerabilities can be very dangerous because malicious people can use them to access systems and data without being detected.
Understanding the importance of keeping your computer and other devices up to date is essential. Software developers and vendors usually release updates to fix vulnerabilities, so downloading and installing them is necessary to ensure your device is safe.
What impacts could it have?
Zero-day vulnerabilities can be exploited in various ways.
- An attacker can use a zero-day vulnerability to access a computer system or network. Once inside, the attacker can use the exposure to install malicious software, steal data, or perform other unauthorized activities. For example, they can steal personal information like credit card numbers or passwords.
- Zero-day vulnerabilities can be exploited without the knowledge of the system owner. For example, if the exposure is in an internet browser, the attacker can create a malicious website that controls and directs users to it. When users visit the website, their computer is compromised without their knowledge.
- Zero-day vulnerabilities can also be exploited through malicious emails. In this scenario, the attacker sends a malicious email to the victim containing a link or attachment with the zero-day vulnerability embedded. When the victim clicks on the link or opens the attachment, their computer is compromised.
What are some examples?
- Stuxnet: This zero-day vulnerability was discovered in 2010 and was used to target Iranian nuclear plants. It was a sophisticated malware that took advantage of a Windows vulnerability to spread itself and cause damage to the nuclear facility. The malware exploited the vulnerability by taking advantage of a Windows shortcut flaw, allowing it to spread itself across a network without user interaction.
- Target Breach: In 2013, Target Corporation suffered a significant data breach due to a zero-day vulnerability. Hackers were able to exploit a zero-day vulnerability in the company’s Point of Sale system, allowing them to gain access to customer data, including credit cards. This breach resulted from a failure to patch the vulnerable system, which had been known to have a zero-day vulnerability for over a year before the violation occurred.
- Adobe Flash Player: In 2015, a zero-day vulnerability was discovered in Adobe Flash Player. This vulnerability allowed attackers to execute malicious code on vulnerable systems remotely. Adobe released a patch for this vulnerability shortly after its discovery, but hackers had already exploited it before it was released.
- Microsoft Exchange Zero-Day Vulnerability: In March 2021, security researchers discovered a zero-day vulnerability in Microsoft Exchange server software. The exposure was a remote code execution (RCE) bug that enabled attackers to gain access to a network without requiring any authentication. Attackers exploited the vulnerability to install web shells, which allowed them to execute malicious code on the server and deploy ransomware. Microsoft patched the vulnerability shortly after its discovery.
- Adobe Flash Player Zero-Day Vulnerability: In April 2021, researchers discovered a zero-day vulnerability in Adobe Flash Player, which could allow attackers to gain access to a system without requiring any authentication. The vulnerability allowed attackers to run malicious code on the system, which could be used to steal data, execute ransomware, and more. Adobe released a patch shortly after the vulnerability was discovered.
- Oracle WebLogic Server Zero-Day Vulnerability: In January 2021, researchers discovered a zero-day vulnerability in Oracle WebLogic Server, allowing attackers to access a system without authentication. The vulnerability allowed attackers to execute malicious code on the server, which could be used to deploy ransomware and steal data. Oracle released a patch shortly after the vulnerability was discovered.
Zero-day vulnerabilities are typically discovered by security researchers who are on the lookout for them. Once discovered, the researcher can alert the affected party so that they can patch the vulnerability and protect their systems. In some cases, security researchers may also sell the details of the zero-day vulnerability to third parties, such as governments or cyber criminals.