CSO Online
Mar 11, 2020
What is a zero day? A powerful but fragile weapon
CSO Online | Mar 11, 2020
All software has bugs, and some of those bugs are security flaws that can be exploited and turned into weapons. A zero day is a security flaw that has not yet been patched by the vendor and can be exploited. Here's what you need to know.
Copyright © 2020 IDG Communications, Inc.
Similar
A zero day is a security flaw that has not yet been patched by the vendor and can be exploited. These flaws get their name from the number of days that a patch has existed for the flaw: zero.
Once the vendor announces a security patch, the bug is no longer a zero day. After that the security flaw joins the ranks of endless legions of patchable vulnerabilities.
In the past, say 10 years ago, a single zero day might have been enough to gain complete control of a given target. This made discovery and possession of any given zero day extremely powerful.
Today, security mitigations in consumer operating systems like Windows 10 or Apple's iOS mean that it is often necessary to chain together several, sometimes dozens, of minor zero days to achieve the same effect. This has driven the black market payout for a remote execution zero day in iOS, for example, to astronomical levels.
Want to make a cool $1.5 million? Find the right kind of iPhone zero day and sell it to Zerodium, one of the more prominent players that claims to pay "the highest bounties on the market," according to their website. Grey market brokers like Zerodium sell only to approved governments, but the black market will sell to anyone, including organized crime, drug cartels, and countries like North Korea or Iran, which are excluded from the grey market.
Security researchers with a conscience are best off reporting zero days to the company whose software or hardware contains the flaw. Organizations of any significant size should publish a vulnerability disclosure process, which publicly promises to hold harmless good-faith reports of security issues and triages the reported issues internally.
To encourage reports of zero-day vulnerabilities, organizations can optionally offer a bug bounty program, which stimulates research and disclosure by offering substantial financial payouts to ethical security researchers. These payouts do not and will never rival the black market, but instead aim to reward security researchers who do the right thing.
Zero days are sexy and exciting but, let's face it, not as big a deal as they used to be. Just because a vendor has announced a patch doesn't mean vulnerable devices get patched. As a result, so-called “old days” are often more than sufficient for attackers.
Additionally, in many cases, attackers who possess zero-day exploits prefer not to use them because using a zero-day exploit against a savvy defender could disclose that zero day to the defender. This make zero-day exploits fragile weapons, especially when deployed in the covert wrestling match between nation-states taking place on the cyber domain today.
Once the vendor announces a security patch, the bug is no longer a zero day. After that the security flaw joins the ranks of endless legions of patchable vulnerabilities.
In the past, say 10 years ago, a single zero day might have been enough to gain complete control of a given target. This made discovery and possession of any given zero day extremely powerful.
Today, security mitigations in consumer operating systems like Windows 10 or Apple's iOS mean that it is often necessary to chain together several, sometimes dozens, of minor zero days to achieve the same effect. This has driven the black market payout for a remote execution zero day in iOS, for example, to astronomical levels.
Want to make a cool $1.5 million? Find the right kind of iPhone zero day and sell it to Zerodium, one of the more prominent players that claims to pay "the highest bounties on the market," according to their website. Grey market brokers like Zerodium sell only to approved governments, but the black market will sell to anyone, including organized crime, drug cartels, and countries like North Korea or Iran, which are excluded from the grey market.
Security researchers with a conscience are best off reporting zero days to the company whose software or hardware contains the flaw. Organizations of any significant size should publish a vulnerability disclosure process, which publicly promises to hold harmless good-faith reports of security issues and triages the reported issues internally.
To encourage reports of zero-day vulnerabilities, organizations can optionally offer a bug bounty program, which stimulates research and disclosure by offering substantial financial payouts to ethical security researchers. These payouts do not and will never rival the black market, but instead aim to reward security researchers who do the right thing.
Zero days are sexy and exciting but, let's face it, not as big a deal as they used to be. Just because a vendor has announced a patch doesn't mean vulnerable devices get patched. As a result, so-called “old days” are often more than sufficient for attackers.
Additionally, in many cases, attackers who possess zero-day exploits prefer not to use them because using a zero-day exploit against a savvy defender could disclose that zero day to the defender. This make zero-day exploits fragile weapons, especially when deployed in the covert wrestling match between nation-states taking place on the cyber domain today.
Popular
Featured videos from IDG.tv