Zero Day Vulnerability: How to Defend Against Unpatched Exploits

The term zero day vulnerability refers to a weak spot in an IT system that is discovered by hackers before the developer of the hard- or software. This time advantage gives bad actors the chance to develop attack strategies and carry out cyberattacks while no security patch is available. The name zero day refers to the fact that once manufacturers discover the issue, they have very little time (zero days) to fix it.

The fact that there is no security patch available when zero days first become public makes the discovery of a new zero day some of the worst news imaginable for IT teams, CIOs and CISOs. Organizations that are affected by a newly published vulnerability need to do everything in their power to mitigate the risk. For example, by temporarily disabling vulnerable systems or isolating them from other areas of the network.

There are several terms that are used in connection with zero days, mostly to refer to the different stages from discovering a theoretical weakness to carrying out a specific cyberattack based on it. There are three core concepts you need to understand when it comes to zero days:

The CVE reference system, short for Common Vulnerabilities and Exposures, is used to track vulnerabilities in IT systems. Each newly discovered weakness receives a unique identifier that includes the year of its discovery and a consecutive number. Additionally, vulnerabilities receive a CVSS score on a scale from 0 to 10 that indicates the severity of the issue.

CVSS scores are based on several factors, including how to access the weakness (locally, from adjacent networks or via the internet), how complex the exploit is to carry out, how many layers of authentication attackers need to bypass and how strongly it impacts the confidentiality, integrity and availability of data. Weaknesses with a CVSS score of 9 or higher are considered critical vulnerablities.

Zero day vulnerablities can affect all sorts of IT systems, ranging from web apps, cloud services and SaaS-platforms to locally installed software and even the firmware of devices. By definition, any security issue that attackers discover before the manufacturer is considered a zero day vulnerability. Bugs or software problems that a developer has yet to discover are not always dangerous. However, zero days tend to make the news and receive the most attention when they endanger widely used services.

Examples of well-known zero day vulnerabilites that led to large attack waves include:

Unfortunately, bugs and security issues in software are a common occurrence. Cybercriminals as well as security specialists and software developers are constantly searching for new vulnerabilities in code. Most of the time, developers, researchers and ethical white hat hackers manage to discover and patch bugs before they become a problem.

To provide developers with the time they need to develop an update, it is common practice for security experts to inform the manufacturer of a product before they make a vulnerability public. This policy was established by the prolific hacker Rain Forest Puppy, which is why it is known as RFPolicy. This way, companies have enough time to fix the problem so that, by the time they inform the public, a patch is ready and rolled out to as many affected systems as possible.

And there you have the issue: When hackers and other bad actors are first to discover a new vulnerability, they have the advantage and can develop exploits and launch attacks before the security hole is closed. Often, manufacturers only learn of the new weakness once customers report attacks or criminals discuss the strategy in hacking forums or similar channels. Not only does this mean that the zero day vulnerability is being actively exploited, but once a developer learns of it, it can still take several days until a patch is ready to deploy.

There are multiple theories regarding the origin of the phrase zero day vulnerability. Most connect the term to the lack of time or advance notice, and the pressure this puts on the manufacturer: i.e. the fact that the developer has zero days to prepare a patch. Or a hypothetical day zero when exploits are created and attacks begin but the developer has yet to learn of the issue.

Another explanation suggests software piracy and the warez scene as the source of the term zero day. Users who shared software illegally also added the number of days since official release. The lower this number, the faster the software had been cracked: a source of pride for skillful hackers. In this context, zero day software referred to programs that had been shared before their official release, meaning they were stolen from the server of the developer. Thus the connection between the term zero day and breaking into networks.

From its initial discovery to the release of a patch, the life of a newfound vulnerability can be split into several phases. First, there is the discovery of the vulnerability. The next stage depends on how news of the vulnerability spreads: If researchers or cybersecurity analysts identify the flaw, they inform the developer and work on a security update can begin.

However, if cybercriminals find the weak spot first, they can begin infiltrating vulnerable systems before the issue is patched. In cases like these, where cybercrime has the element of surprise, the software flaw is considered a zero day vulnerability.

Once programmers have identified the problem and found a suitable solution (i.e. one that fixes the exploit without compromising the software’s functionality), the next step is the release of a patch. However, just because an update is available does not mean the vulnerability is eliminated. Only once all vulnerable systems have been patched can hackers no longer abuse the exploit. Given that security issues can affect dozens of applications, hundreds of services and potentially millions of devices, the complete rollout of a critical security update can take weeks or months.

By definition, a zero day vulnerability becomes active before a security patch is available, meaning there is no surefire solution to defend against zero day attacks. However, there are a number of steps organizations can take to both reduce the risk of zero days and minimize their impact if an attack does take place. You can find the most important safeguards to protect against zero days listed below.

This may sound obvious, but once a patch is available, it must be applied to all affected systems and devices on your network as soon as possible. To make sure you don’t waste any time and extend the attack window for hackers, prepare for the patch rollout by identifying all at risk systems and come up with a plan for updating devices as quickly as you can. A central patch management solution makes this process a lot easier.

It takes time to fully analyze and patch a security issue. As a short-term solution, software companies sometimes publish workarounds that allow you to temporarily close the security hole. This may take the form of a script you can run, disabling specific features or changes to your operating system settings. Keep an eye out for any news from the developer so you don’t miss out on tips that can help keep you safe!

Compatibility issues or hardware constraints sometimes make it impossible to run the latest version of software, forcing organizations to keep devices on older patches. Although this may be necessary to avoid negative business outcomes, it still represents a massive security issue. Unpatched systems need to be protected by other means, such as isolating them from the network, enforcing strict access control or using application whitelisting.

Intrusion detection systems (IDS) or extended detection and response (XDR) are automated solutions that help admins track suspicious activity and identify potential attacks. Even if you have no way to prevent a zero day attack: The sooner you spot a breach, the faster your IT team can contain it, reducing its scope and damage. In order to tell unauthorized activity from normal behavior, you need to have a clear picture of typical data streams and user activity.

Even if cybersecurity best practices cannot stop attackers from exploiting an unpatched vulnerability, they can still help you respond more quickly and get back on your feet faster once it is over. For example, having an emergency response plan and multiple redundant backups of critical data can help you restore your IT and prevent extended outages.

If you’re familiar with the ATT&CK framework, you know that cyberattacks take place in multiple stages. Zero day vulnerabilities are typically used to gain initial access into a network. Once inside, intruders will try to spread across the network (lateral movement) and gain access to higher permission levels (privilege escalation).

By ensuring that employees only have access to resources that are strictly necessary for their business role, you can stop the attack from spreading and minimize the damage a zero day can cause. This approach, also known as least privilege access, is a cornerstone of modern IT security and strategies like zero trust.

Enforcing least privilege access requires stringent permission and user management. During the onboarding process, organizations need to ensure that users only receive permissions they absolutely need. What’s more, whenever a user’s role changes (for example when they are promoted or change department), privileges that are no longer required for their new position need to be promptly removed. This requires businesses to conduct regular audits, also known as user access reviews.

When you are dealing with hundreds of accounts in dozens of systems, the only realistic way to manage user lifecycles is through an automated solution: identity access management software like tenfold helps you manage users and permissions safely and efficiently across your entire network, from local file servers to M365 services and third-party applications. In addition, tenfold makes access reviews swift and painless by compiling pending audits into handy checklists. Discover the advantages of tenfold for yourself by signing up for a free trial today!