Zero-Day Attacks – CompTIA Security+ SY0-401: 3.5

Many of our applications contain security vulnerabilities that haven’t been discovered yet. In this video, you’ll learn about zero-day attacks and why it’s important to patch our systems as quickly as possible.

<< Previous Video: Buffer Overflows and Integer OverflowsNext: Cookies, Header Manipulation, and Session Hijacking >>


Many of the applications that we use every day have vulnerabilities. Many of the operating systems that we currently are using have vulnerabilities. But we just have not found those vulnerabilities yet. Security researchers are working all the time to try to find where there might be a program that’s not working the way it should be or to find a hole in an operating system that they can exploit to be able to gain access to that system. Now the good guys are looking to find that vulnerability and if they find it they’ll generally call the developer or the manufacturer of that operating system and tell them that they have found a vulnerability. And then it’s up to the people who’ve created the application– those developers or the developers of the operating system– to be able to create a the patch that will close that hole.

Now in the meantime of course, the vulnerability still exists. And that’s what the bad guys are trying to find. They’re trying to find a vulnerability that nobody else has found yet and that the developer has not patched. And if they find one of those they can do a lot with that operating system. They can get malware onto your computer much easier, they can take over your system, they can put a botnet on your computer. They can really take advantage of that for their personal gain and that’s what they are after. And when we find these situations where the developer has not patched a problem or perhaps this vulnerability has been discovered by someone else and we see it in the wild and it’s open and everybody is susceptible, we call that a zero-day vulnerability. Which means the vulnerability has either not been detected or the vulnerability itself is not something that has been published for everyone to know about.

So in other words, no one knows this vulnerability is there, it’s a zero-day vulnerability. You often see zero-day exploits that you’re getting a message from a manufacturer of an operating system, you’re getting a message in an email as a registered user of an application saying, we’ve just identified this problem, it’s something we’ve even seen in the wild that people are actively taking advantage of and here are some things you can do to help mitigate this problem in the meantime until we come out with a patch. So often you’ll hear about a problem, but you won’t even be able to patch it until a number of days or even weeks has gone by.

And that is especially bad because then if all the bad guys hear about, oh there’s a vulnerability out there, they’re going to try to figure it out. Because the developers not going to tell you, here’s how you take advantage of our operating system, here’s how you take advantage of our application, they’re just going to let everybody know you need to be aware there is a problem. And that puts the other bad guys on high alert. Because if somebody’s found a hole, they’re going to try to find that hole as well.

A good place to go to look at these particular vulnerabilities, especially zero-day and other kind of vulnerabilities, is the common vulnerabilities and exposures website you go to cve.mitre.org and you can see what all of the latest vulnerabilities are, both the zero-day and those that are not zero-day vulnerabilities. And it’s also good reference to go back in time to see what’s happened in the past. Now if you’re trying to look at an operating system or an application trying to determine should I be patching this, are there things that I need to apply to this app to make it more secure, that’s a good resource to use.

Let’s look at the scope of a zero-day vulnerability. And let’s go back in time to November the third of 2010, Microsoft announced that there was a zero-day exploit for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. So this was a pretty broad and very large impacting zero-day vulnerability because it affected practically every used version of Internet Explorer going back a number of years. They released a security advisory that just had basic information because they don’t want to give away too much information about how the bad guys were exploiting Internet Explorer, they just wanted to make everyone aware of the problem and things they can do to make sure the problem would not affect them.

On December the 14th, so well over a month after the announcement, the patch finally came out. So MS10-090, the patch was released and it talked about the vulnerability that was related to vectors in cascading style sheet token sequences, the clip attribute, an invalid flag reference. A lot of details there. And at that point Microsoft said here’s where the problem really was, but they were telling us this detail because they had a patch. And it was up to you, the end user, to make sure those patches were put on your computer. Obviously if you had not patched your computer, Internet Explorer 6, 7, and 8 would still be vulnerable. And probably to this day you still have people that have vulnerable Internet Explorer versions for this particular vulnerability and the bad guys absolutely want to try to take advantage of that.

But look at the scope here. Internet Explorer 6 was released in August 27, 2001, so this particular vulnerability was just sitting there. Nobody had found it yet. And only until the bad guys found it and it was announced on November 3, which was just over nine years gone by since that version have been released. So it had been sitting there. And this is what is the problem, the fear for our security professionals, is that we know the applications have vulnerabilities. We know there are things that we don’t know about yet and that’s our biggest concern.

If the bad guys find the vulnerability first they’re going to take advantage of it. And if there’s not even a patch available you are wide open for that vulnerability to take effect. And that’s why we talk about layering different types of security on top of each other so that if an application does happen to be insecure or have a vulnerability maybe there’s an IDS that can detect something interesting going on. Maybe you’ve set different things in your firewall to prevent access to other parts of that app. Those are the things that we do to help mitigate these zero-days. And we absolutely want to stay on top of exactly what our manufacturers for our operating systems, our manufacturers and developers of our applications, are doing to make sure that we aren’t affected by these zero-day vulnerabilities.