Zero Day Vulnerability: How to Defend Against Unpatched Exploits
Zero day vulnerabilities are weaknesses in IT systems that attackers discover and exploit before the developer learns of their existence. Once a new zero day is discovered, software manufacturers need to rush to fix the problem with a security update. Read our guide to learn what you can do to defend against the dangers of zero day vulnerabilities in the meantime.
What Is a Zero Day Vulnerability?
The term zero day vulnerability refers to a weak spot in an IT system that is discovered by hackers before the developer of the hard- or software. This time advantage gives bad actors the chance to develop attack strategies and carry out cyberattacks while no security patch is available. The name zero day refers to the fact that once manufacturers discover the issue, they have very little time (zero days) to fix it.
The fact that there is no security patch available when zero days first become public makes the discovery of a new zero day some of the worst news imaginable for IT teams, CIOs and CISOs. Organizations that are affected by a newly published vulnerability need to do everything in their power to mitigate the risk. For example, by temporarily disabling vulnerable systems.
Zero Day: Difference Between Vulnerability, Exploit & Attack
There are several terms that are used in connection with zero days, mostly to refer to different stages from discovering a theoretical weakness to carrying out a specific cyberattack based on it. There are three core concepts you need to understand when it comes to zero days:
A zero day vulnerability is a previously undiscovered issue with a piece of software or hardware that opens it up to some form of attack.
A zero day exploit is a method or technique attackers develop that leverages the vulnerability for their own goals.
A zero day attack is a specific cyberattack carried out based on this technique, for example the attack on a company or government organization.
Zero Day Vulnerability: CVE Classification
The CVE reference system, short for Common Vulnerabilities and Exposures, is used to track vulnerabilities in IT systems. Each newly discovered weakness receives a unique identifier that includes the year of its discovery and a consecutive number. Additionally, vulnerabilities receive a CVSS score on a scale from 0 to 10 that indicates the severity of the issue.
CVSS scores are based on several factors, including how to access the weakness (locally, from adjacent networks or via the internet), how complex the exploit is to carry out, how many layers of authentication attackers need to bypass and how strongly it impacts the confidentiality, integrity and availability of data. Weaknesses with a CVSS score of 9 or higher are considered critical vulnerablities.
Examples of Zero Day Vulnerabilities
Zero day vulnerablities can affect all sorts of IT systems, ranging from web apps, cloud services and SaaS-platforms to locally installed software and even the firmware of devices. By definition, any security issue that attackers discover before the manufacturer is considered a zero day vulnerability. Bugs or software problems that a developer has yet to discover are not always dangerous. However, zero days tend to make the news and receive the most attention when they endanger widely used services.
Examples of well-known zero day vulnerabilites that led to large attack waves include:
Outlook NTLM zero day: A recent example of the dangers of zero day vulnerabilities is CVE-2023-23397 in Outlook. By sending a manipulated calendar invite, attackers can trick the email server into sending them recipients NTLM hash. In turn, the hash can be used to bypass authentication and log in as the victim. Crucially, this attack requires no interaction on the part of the target (zero click attack). The victim doesn’t have to open or accept the invite for the attack to work. Microsoft has since patched the issue and released a script that allows organizations to check if they were targeted using this exploit.
GoAnywhere zero day: A security issue with the license query in the managed file transfer software GoAnywhere MFT (CVE-2023-0999) allowed attackers to inject commands and execute code remotely to infect systems with ransomware. Until the vulnerability was discovered and patched, this led to a wave of attacks. In particular, the weakness was exploited by the ransomware gang Clop to target roughly 130 companies.
Log4j zero day: Log4j is an open source framework for logging system events that is used by many applications. CVE-2021-44228 allowed attackers to manipulate the content of log entries to execute arbitrary code. Since this open source utility is widely used, countless services were affected by the vulnerability. Despite this fact, log4j led to fewer attacks than experts initially expected.
EternalBlue zero day: CVE-2017-0144 a.k.a. EternalBlue may be one of the most long-lived zero days in existence. The underlying problem in how Windows systems process the server message block was initially discovered by the NSA, who kept it secret for around five years to use the exploit for their own goals. Details of EternalBlue eventually leaked, leading the agency to inform Microsoft in 2017 so they could patch the issue. In the same year, however, EternalBlue was used for numerous attacks with the WannaCry ransomware.
Heartbleed zero day: An error in the OpenSSL library used for encrypted connections allowed attackers to trick webservers into sending them data directly from their RAM, which included passwords and encrpyted messages. Heartbleed (CVE-2014-0160) abused the missing input validation in OpenSSL’s heartbeat extension, which periodically passes a short message between server and client to confirm an active connection. By exceeding the buffer of this message, attackers could force the server to leak data from its memory. The issue was patched the same day it became public on April 7 2014, and for good reason: Heartbleed made nearly all websites vulnerable to data theft.
What Makes Zero Day Vulnerabilities So Dangerous?
Unfortunately, bugs and security issues in software are a common occurrence. Cybercriminals as well as security specialists and software developers are constantly searching for new vulnerabilities in code. Most of the time, developers, researchers and ethical white hat hackers manage to discover and patch bugs before they become a problem.
To provide developers with the time they need to develop an update, it is common practice for security experts to inform the manufacturer of a product before they make a vulnerability public. This policy was established by the prolific hacker Rain Forest Puppy, which is why it is known as RFPolicy. This way, companies have enough time to fix the problem so that, by the time they inform the public, a patch is ready and rolled out to as many affected systems as possible.
And there you have the issue: When hackers and other bad actors are first to discover a new vulnerability, they have the advantage and can develop exploits and launch attacks before the security hole is closed. Often, manufacturers only learn of the new weakness once customers report attacks or criminals discuss the strategy in hacking forums or similar channels. Not only does this mean that the zero day vulnerability is being actively exploited, but once a developer learns of it, it can still take several days until a patch is ready to deploy.
Where Does the Term Zero Day Come From?
There are multiple theories regarding the origin of the phrase zero day vulnerability. Most connect the term to the lack of time or advance notice, and the pressure this puts on the manufacturer: i.e. the fact that the developer has zero days to prepare a patch. Or a hypothetical day zero when exploits are created and attacks begin but the developer has yet to learn of the issue.
Another explanation suggests software piracy and the warez scene as the source of the term zero day. Users who shared software illegally also added the number of days since official release. The lower this number, the faster the software had been cracked: a source of pride for skillful hackers. In this context, zero day software referred to programs that had been shared before their official release, meaning they were stolen from the server of the developer. Thus the connection between the term zero day and breaking into networks.
Lifecycle of a Zero Day Vulnerability
From its initial discovery to the release of a patch, the life of a newfound vulnerability can be split into several phases. First, there is the discovery of the vulnerability. The next stage depends on how news of the vulnerability spreads: If researchers or cybersecurity analysts identify the flaw, they inform the developer and work on a security update can begin.
However, if cybercriminals find the weak spot first, they can begin infiltrating vulnerable systems before the issue is patched. In cases like these, where cybercrime has the element of surprise, the software flaw is considered a zero day vulnerability.
Once programmers have identified the problem and found a suitable solution (i.e. one that fixes the exploit without compromising the software’s functionality), the next step is the release of a patch. However, just because an update is available does not mean the vulnerability is eliminated. Only once all vulnerable systems have been patched can hackers no longer abuse the exploit. Given that security issues can affect dozens of applications, hundreds of services and potentially millions of devices, the complete rollout of a critical security update can take weeks or months.
You can find more security tips in our guide on AD Security Best Practices.
How to Protect Against Zero Day Vulnerabilities
By definition, a zero day vulnerability becomes active before a security patch is available, meaning there is no surefire solution to defend against zero day attacks. However, there are a number of steps organizations can take to both reduce the risk of zero days and minimize their impact if an attack does take place. You can find the most important safeguards to protect against zero days listed below.
This may sound obvious, but once a patch is available, it must be applied to all affected systems and devices on your network as soon as possible. To make sure you don’t waste any time and extend the attack window for hackers, prepare for the patch rollout by identifying all at risk systems and come up with a plan for updating devices as quickly as you can. A central patch management solution makes this process a lot easier.
It takes time to fully analyze and patch a security issue. As a short-term solution, software companies sometimes publish workarounds that allow you to temporarily close the security hole. This may take the form of a script you can run, disabling specific features or changes to your operating system settings. Keep an eye out for any news from the developer so you don’t miss out on tips that can help keep you safe!
Isolate Legacy Systems
Compatibility issues or hardware constraints sometimes make it impossible to run the latest version of software, forcing organizations to keep devices on older patches. Although this may be necessary to avoid negative business outcomes, it still represents a massive security issue. Unpatched systems need to be protected by other means, such as isolating them from the network, enforcing strict access control or using application whitelisting.
Use Intrusion Detection
Intrusion detection systems (IDS) or extended detection and response (XDR) are automated solutions that help admins track suspicious activity and identify potential attacks. Even if you have no way to prevent a zero day attack: The sooner you spot a breach, the faster your IT team can contain it, reducing its scope and damage. In order to tell unauthorized activity from normal behavior, you need to have a clear picture of typical data streams and user activity.
Follow Best Practices
Even if cybersecurity best practices cannot stop attackers from exploiting an unpatched vulnerability, they can still help you respond more quickly and get back on your feet faster once it is over. For example, having an emergency response plan and multiple redundant backups of critical data can help you restore your IT and prevent extended outages.
If you’re familiar with the ATT&CK framework, you know that cyberattacks take place in multiple stages. Zero day vulnerabilities are typically used to gain initial access into a network. Once inside, intruders will try to spread across the network (lateral movement) and gain access to higher permission levels (privilege escalation).
By ensuring that employees only have access to resources that are strictly necessary for their business role, you can stop the attack from spreading and minimize the damage a zero day can cause. This approach, also known as least privilege access, is a cornerstone of modern IT security and strategies like zero trust.
Enforcing least privilege access requires stringent permission and user management. During the onboarding process, organizations need to ensure that users only receive permissions they absolutely need. What’s more, whenever a user’s role changes (for example when they are promoted or change department), privileges that are no longer required for their new position need to be promptly removed. This requires businesses to conduct regular audits, also known as user access reviews.
When you are dealing with hundreds of accounts in dozens of systems, the only realistic way to manage user lifecycles is through an automated solution: identity access management software like tenfold helps you manage users and permissions safely and efficiently across your entire network, from local file servers to M365 services and third-party applications. In addition, tenfold makes access reviews swift and painless by compiling pending audits into handy checklists. Discover the advantages of tenfold for yourself by signing up for a free trial today!
Watch Our Demo Video to See tenfold in Action!