Why Are There So Many Zero-Day Security Holes? It is because cybercriminals use zero-day vulnerabilities to break into computers and networks. Zero-day exploits seem to be on the rise, but is that really the case? And can you defend yourself? This article seriously looks at the details.
What is Zero-Day Vulnerabilities
A zero-day vulnerability is a bug in a piece of software. Of course, all complicated software has bugs, so why should a zero-day be given a special name? A zero-day bug is one that has been discovered by cybercriminals but the authors and users of the software don’t yet know about it. And, crucially, a zero-day is a bug that gives rise to an exploitable vulnerability.
These factors combine to make a zero-day a dangerous weapon in the hands of cybercriminals. They know about a vulnerability that no one else knows about. This means they can exploit that vulnerability unchallenged, compromising any computers that run that software. And because no one else knows about the zero-day, there will be no fixes or patches for the vulnerable software.
So, for the short period between the first exploits taking place—and being detected—and the software publishers responding with fixes, the cybercriminals can exploit that vulnerability unchecked. Something overt like a ransomware attack is unmissable, but if the compromise is one of covert surveillance it might be a very long time before the zero-day is discovered. The infamous SolarWinds attack is a prime example.
Zero-Days Have Found Their Moment
Zero-days aren’t new. But what is particularly alarming is the significant increase in the number of zero-days being discovered. More than double have been found in 2021 than in 2020. The final numbers are still being collated for 2021—we’ve still got a few months to go, after all—-but indications are that around 60 to 70 zero-day vulnerabilities will have been detected by the year-end.
Zero-days have a value to the cybercriminals as a means of unauthorized entry to computers and networks. They can monetize them by executing ransomware attacks and extorting money from the victims.
But zero-days themselves have a value. They are saleable commodities and can be worth huge sums of money to those who discover them. The black market value of the right kind of zero-day exploit can easily reach many hundreds of thousands of dollars, and some examples have exceeded $1 million. Zero-day brokers will buy and sell zero-day exploits
Zero-day vulnerabilities are very difficult to discover. At one time they were only found and used by well resourced and highly-skilled teams of hackers, such as state-sponsored advanced persistent threat (APT) groups. The creation of many of the zero-days weaponized in the past has been attributed to APTs in Russia and China.
Of course, with enough knowledge and dedication, any sufficiently accomplished hacker or programmer can find zero-days. White hat hackers are among the good buys who try to find them before the cybercriminals. They deliver their findings to the relevant software house, who will work with the security researcher who found the issue to close it off.
New security patches are created, tested, and made available. They’re rolled out as security updates. The zero-day is only announced once all the remediation is in place. By the time it becomes public, the fix is already out in the wild. The zero-day has been nullified.
Zero days are sometimes used in products. The NSO Group’s controversial spy-ware product Pegasus is used by governments to fight terrorism and maintain national security. It can install itself on mobile devices with little or no interaction from the user. A scandal broke in 2018 when Pegasus was reportedly used by several authoritative states to conduct surveillance against its own citizens. Dissidents, activists, and journalists were being targeted.
Naijateck is Nigeria’s information and communication portal for technology news and information