12 November 2013
Zero-day vulnerabilities are security flaws that have not been reported to software publishers or hardware manufacturers. They are therefore not published or patched, unlike a vulnerability discovered and declared in an ethical process.
Vulnerabilities generally result from weaknesses in the writing of software code or unanticipated optimization effects, whether computer or hardware. 0-day vulnerabilities also meet this definition, but their special status stems from their non-disclosure and exploitation for potentially malicious purposes.
It is not because they have not been discovered by the publishers that the 0-day vulnerabilities cannot be exploited. On the contrary, the exploitation of zero-day vulnerabilities is an extremely lucrative market.
The 0-day vulnerabilities are notably secretly exploited by governments for national (and international) security operations but also by hackers for malicious actions. Indeed, the exploitation of these vulnerabilities would be more discreet because they are very difficult to detect by traditional security solutions (like antivirus) and can take by surprise even companies and organizations with significant maturity in cybersecurity. Indeed, it affects state-of-the-art software.
That is why they are so critical: they offer their owners a head start on the rest of the world, which is very important for cyber-espionage, for example. The lack of defense also allows access to targets known to be tamper-proof, through highly targeted large-scale operations.
As an illustration, the 0-day EternalBlue vulnerability gave the famous WannaCry* virus. The latter infected 300,000 computers in 150 countries.
0-day vulnerabilities are gateways. Once exploited, they offer attackers a range of attacks that are as diverse as they are dangerous, such as remote control of a machine, data theft, or access to internal memory, for instance.
The real interest of a 0-day, for a cyber attacker, lies in the surprise effect guaranteed by the ignorance of the existence of the flaw, which further increases the criticality of the attack.
Teams of experts are specialized in zero-day research. They can be hackers whose intentions are sometimes laudable (improving the security of existing software) or financial (seeking financial gains from the resale of exploits).
To discover the flaws in their software, publishers also organize bug bounty contests, large-scale contests during which they reward financially for discovering flaws, as we will see in the second episode of this series.
In all cases, these specialists, whether they are researchers, hackers, or cybersecurity experts, must write a proof of concept (POC), i.e. a demonstration to exploit the capability. In other words, they have to prove that they are having actions carried out that were not foreseen by the software or machine.
These actions can range from software/machine crashes to the execution of arbitrary commands. POCs can be submitted to publishers, companies specializing in the purchase and resale of zero-day exploits, or to public or private intelligence actors. When the exploit is created, the POC is increased by a payload. This payload can then be integrated into a virus, for example, to infect the system and carry out malicious actions.
Finally, a few additional points to note on this subject:
Honeypots also allow the discovery of 0-day vulnerabilities. It is a defense method that consists of attracting cyber attackers to specific targets to better understand them but also to know their means of attack, and therefore sometimes zero-day vulnerabilities.
Zero days are only used when all other known vulnerabilities could not be exploited due to the complexity of obtaining them.
*EternalBlue also allowed the creation of the NotPetya virus in 2017.