.svg)
Zero-days pose a frequent threat in cybersecurity, potentially leading to system compromise and theft of sensitive data. This article takes a look at zero-day exploits, exploring their definition, functionality, and how they differ from n-day vulnerabilities.
A zero-day vulnerability is a software vulnerability unknown to the vendor or developer. A zero-day exploit is code that leverages this vulnerability to compromise a system. The term "zero-day" indicates that the vendor has had zero days to create and release a patch since the vulnerability's discovery. These exploits are high-value attack vectors because they target undisclosed vulnerabilities, often evading existing security measures. Threat actors may use zero-day exploits for various purposes, including system infiltration, data exfiltration, or establishing persistent access.
Zero-day exploits typically unfold through the following steps:
1. Discovery: A vulnerability is identified in a software application or operating system.
2. Exploit Development: An exploit is crafted to take advantage of the vulnerability.
3. Attack: The exploit is deployed against systems vulnerable to it.
4. Detection: Security researchers or vendors eventually detect the exploit.
5. Patch: The vendor releases a patch or fix to address the vulnerability.
The window between the discovery of the vulnerability and the release of a patch is important, as it provides cybercriminals with an opportunity to exploit the vulnerability.
Zero-day vulnerabilities differ from n-day vulnerabilities in several different ways. N-day vulnerabilities are known issues for which a patch or fix has been released, however, the patch hasn't yet been applied to all systems. The term "n-day" refers to the number of days between the patch release and the attack on the vulnerable system.
The primary distinctions between zero-day and n-day vulnerabilities are:
1. Knowledge: Zero-day vulnerabilities are unknown to the vendor and security community, whereas n-day vulnerabilities are known and have a patch available.
2. Patch Availability: Zero-day vulnerabilities lack an available patch, while n-day vulnerabilities have a patch that hasn't been universally applied.
3. Exploitability: Zero-day vulnerabilities are more challenging to detect and prevent due to their unknown nature, whereas n-day vulnerabilities are easier to address since a patch exists.
2024 has already witnessed the discovery of several zero-day vulnerabilities, which showcase the ongoing cat-and-mouse game between security researchers and malicious actors.
CVE-2024-30051: Windows DWM Core Library Vulnerability
In April 2024, Kaspersky researchers uncovered a zero-day elevation-of-privilege vulnerability in the Windows Desktop Window Manager (DWM) Core Library, which allowed attackers to escalate privileges on affected systems. Kaspersky promptly reported their findings to Microsoft, leading to the release of a patch on May 14, 2024, as part of Patch Tuesday.
CVE-2024-24919: Check Point Security Gateway Information Disclosure
Check Point identified a zero-day information disclosure and vulnerability affecting their Network Security gateways, which had been actively exploited since early April 2024. This vulnerability allowed attackers to access certain information on internet-connected gateways configured with IPSec VPN, remote access VPN, or mobile access software blade.
CVE-2024-5274: Google Chrome V8 Engine Vulnerability
Google patched a high-severity zero-day vulnerability in the Chrome browser's V8 JavaScript and WebAssembly engine. This type confusion bug, reported by Google's Threat Analysis Group and Chrome Security team on May 20, 2024, marked the eighth zero-day vulnerability fixed in Chrome during 2024 so far.
Given the serious threats posed by zero-days, a commercial market for buying and selling such exploits has emerged. Companies like Zerodium actively purchase vulnerabilities from security researchers to help technology companies address issues faster.
In fact, cybercriminals or grey hats sometimes sell vulnerabilities to these brokers as well, as evidenced by a thread from a cybercrime forum where a user sought a list of companies that would purchase zero-days.
Zerodium offers substantial payouts - up to $2 million for iPhone zero-days - to incentivize the responsible disclosure of vulnerabilities, subsequently sharing the details privately with vendors. However, some argue that this marketplace risks exploits falling into the wrong hands.
There's also a more nefarious side to the zero-day trade, where criminal groups actively buy vulnerabilities to carry out espionage or cyberattacks. They purchase exploits through private forums or brokers on the dark web, with some brokers selling Windows exploits for $50,000-$250,000. A recent example from last month showed a cybercriminal selling an IoT zero-day for $1000 USD in Bitcoin.
There’s a lot of myths and misconceptions surrounding zero-days. In the following section, we’re going to debunk a few of them.
Myth 1: Only nation-states have access to zero-days.
Reality: An active commercial market exists where brokers sell zero-days on private forums for $1K-$2M, accelerating dissemination to both researchers and cybercriminals. Ransomware groups frequently purchase the latest exploits.
Myth 2: Vendors can prevent all zero-day vulnerabilities.
Reality: As software complexity grows exponentially, unintended vulnerabilities will inevitably slip through testing. Zero-days will persist due to human fallibility and the immense scale of modern codebases.
Myth 3: Average users aren't at risk from zero-days.
Reality: Even non-technical individuals can be individually targeted via personalized phishing. Organization-wide network compromises via zero-days also potentially expose personal employee devices remotely.
Myth 4: You need cutting-edge tools to discover zero-days.
Reality: Some of the most serious vulnerabilities resulted from meticulous manual code reviews, not just automated scans. New and legacy platforms contain vulnerabilities identified through various technical and non-technical means.
Understanding zero-day exploits is important for developing a strong defense strategy, but it's only one piece of the puzzle. Implementing more comprehensive approaches, such as security automation, is equally essential. These strategies can significantly improve your defenses and reduce the mean time to detect (MTTD) new threats.
For more information on how generative AI and security automation can benefit your company, we recommend reading The Dark Reading Report on "The State of Generative AI in the Enterprise." This report offers valuable insights and trends on how security teams are using generative AI in conjunction with security automation to improve their overall security posture and response times.
Click here to download a copy of the report.
Blink is secure, decentralized, and cloud-native. Get modern cloud and security operations today.
.webp)
.webp)
