Episode 76
The term ‘zero day’ has been mentioned a lot when discussing recent cyber security issues. While the concept may be well understood in the IT security space, it may not be clear to others.
In this article, we cover:
So what is ‘Zero Day’?
‘Zero Day’ refers to vulnerabilities that have not been actively exploited before. i.e. the issue has been known about for zero days so far.
As the vulnerability has not been exploited, affected vendors would not have released patches and users of affected software would have a potential exposure in their environment.
What is Project Zero?
Google has a separate team – Project Zero – just to search for these vulnerabilities. In the last 12 months, they have discovered 58 new Zero Day vulnerabilities. This is more than double what was found in the previous year.
So how are these ‘zero day’ vulnerabilities used?
Common applications include hackers using them for commercial gain and countries using them for surveillance (and potentially other) purposes.
Once used, a zero-day vulnerability often becomes known about and reported back to software developers to fix. At that stage, the vulnerability is ‘in the wild’ (not kept on an isolated computer, but out in multiple private or public networks) and usually has a limited useful life. Due to that, they are usually used for ‘big’ things or activities that otherwise would be difficult to achieve.
Vendors often have bug bounty programs for vulnerabilities to be reported under. These bounty programs usually pay money to developers for reporting newly discovered issues in their applications.
Ethical hackers and software developers would first report the discovery of vulnerabilities back to software vendors. These vendors would be given an amount of time, usually 60-90 days, to produce a fix and make it generally available.
At that time, the vulnerability can (more safely) be made public, knowing that a fix already exists. It is then up to the end client to ensure their systems are patched accordingly.
This concept is commonly referred to as ‘ethical disclosure’ – ensuring vendors have time to fix issues before they are made public.
What happens if a vendor does not release a fix?
Often if they just require more time, that can be worked out. Let’s face it, sometimes issues are complex and need additional time to address. However, if they seem to not be doing anything at all, the person who initially discovered and reported the vulnerability to the vendor may just make it public, forcing the vendor to take action. This reflects poorly on the vendor as they are seen to not be concerned about security issues in their products – something that customers clearly have a different opinion about.
Vendors list these vulnerabilities in a database under a ‘CVE’ (Common Vulnerability and Exposure) classification. Each CVE is assigned a unique number and contains a full description of the issue. At this time, there are nearly 175,000 CVE entries listed. The database, maintained by a non-profit organisation (MITRE corporation) is made available for free to everyone.
Each CVE is given a score out of 10 to denote how serious it is. 0 is low while 10 is the highest.
Does your Software have a vulnerability?
If you are notified about a serious level of vulnerability in software you operate – especially software that sits on the public internet – you had better remediate that issue quickly. As soon as CVEs are announced, hackers write software to use that vulnerability to break into affected systems. This can take as little as a few hours to do.
What can you do?
Ensure your systems are patched. If running Windows workstations, auto-patching is a fairly safe approach. However, not all applications support auto-update capabilities. Your managed IT provider or IT team should have a list of all applications in use with a plan to regularly patch these for security updates.
Vulnerability scanning tools can also help. These tools (using the current MITRE CVE list) scan your network looking for known vulnerabilities. You can then address those that are found. Microsoft includes a vulnerability scanning function in some versions of Microsoft 365.
As a general rule, make sure you keep up to date with patches and vendor security updates. That is one of the best ways to be safe.
This week, we shared a rich 2018 Merlot, perfect for those who enjoy a berry and plum flavoured red with a hint of vanilla. 𝟰.𝟱/𝟱 ⭐