Recently, the security community has been enthralled—simultaneously terrified and fascinated—with a set of newly leaked attack tools. Within this set, a number of tools were designed to exploit “zero day” vulnerabilities for the Windows operating system. For this week’s blog, I’ll try to shed some light on what this jargon means, why “zero day” bugs are feared by some, and why you don’t need to panic.
The term, “zero day,” has its origins in the software piracy community. For decades, piracy groups have competed to be the first to distribute video games and applications that have had their copy protection removed (often a technically challenging process). When an unprotected copy of the software is available the same day that the legitimate software has been released, this has traditionally been called “zero day warez”.
More often than the software than the industry would like to admit, computer security vulnerability researchers’ careers have their origins in hacking copy protection. This winds up serving as very effective cross-training. The same skills used to reverse engineer copy protection and designing workarounds are directly applicable to finding vulnerabilities in computer systems, software, and networks. Thus, some of the terminology of computer security is inherited from the subculture of software piracy and the mischievous hackers of the 80’s and 90’s.
“Zero day,” in computer security, is a term used to describe new vulnerabilities identified in software. These vulnerabilities can be exploited by attackers to gain access to your systems and networks. Exact definitions vary (and are often pointlessly debated), but the term “zero day” is usually reserved for vulnerabilities that do not yet have a patch or fix available.
This is especially dangerous when that vulnerability information is made public, as attackers can use it to attack many systems that have not yet been patched, like the recent WannaCry ransomware attack. This danger is compounded when the vulnerabilities are “remote,” meaning that they can be exploited across a network without having to first log in.
The recently disclosed Windows vulnerabilities are relatively unique in that they are remote and reliably exploitable (some vulnerabilities are too difficult to practically exploit by attackers). Exploits for these vulnerabilities are readily available and easy to use by hackers. Thankfully, their “zero day” status is relatively short-lived. Patches are available now for most of them from Microsoft in Windows Update.
Though patches are available, these vulnerabilities will be widely exploited for years. If you asked any hacker or penetration tester about reliable remote exploits against Windows, they would immediately bring up “MS08-067” (colloquially named after the Microsoft bulletin that describes the patch for it). Even though this vulnerability was patched in 2008, it’s frequently used in penetration testing training (as it is very easy to exploit), and still occasionally encountered “in the wild” on poorly maintained systems. The recently disclosed vulnerabilities will join MS08-067 in having a long life.
Should you be worried about “zero day” vulnerabilities? The WannaCry attacks definitely opened the eyes of many individuals. Yes, you should be worried. Clearly, your security practices should include effective patch management that keeps systems up to date, but how can you prevent exploitation of vulnerabilities you don’t even know about?
Protecting yourself against the inevitable “unknown unknowns” of vulnerabilities requires more than just patch management. It’s important to minimize your attack surface–the parts of your network that an attacker has the opportunity to interact with and attack. Many vulnerabilities exploited in real-world breaches wind up being in systems that didn’t need to face the public Internet in the first place.
Defense-in-depth will help you overcome the need to fear “zero day.” Engage your IT security staff or vendor. Discuss how to examine your attack surface and how to minimize it. And carefully monitor everything that’s left! New vulnerabilities are disclosed and exploited on a daily basis. Some are more serious than others, but your goal should be to make sure that none of them become the weak link that takes out your organization.