Upload
anonymous-wu14iv9dq
View
212
Download
0
Embed Size (px)
Citation preview
8/22/2019 Zero Day Attack
1/5
Zero-day attack 1
Zero-day attack
A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown
vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the
vulnerability.[1]
This means that the developers have had zero days to address and patch the vulnerability. Zero-day
exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the
developer of the target software knows about the vulnerability.
Attack vectors
Malware writers are able to exploit zero-day vulnerabilities through several different attack vectors. Web browsers
are a particular target because of their widespread distribution and usage. Attackers can also send e-mail attachments,
which exploit vulnerabilities in the application opening the attachment.[2]
Exploits that take advantage of common
file types are listed in databases like US-CERT. Malware can be engineered to take advantage of these file type
exploits to compromise attacked systems or steal confidential data such as banking passwords and personal identity
information.[3]
Vulnerability window
Zero-day attacks occur during the vulnerability window that exists in the time between when a vulnerability is first
exploited and when software developers start to develop and publish a counter to that threat.
For worms, viruses, Trojans and other zero-day malware attacks, the vulnerability window follows this time line:
The developer creates software containing an unknown vulnerability.
The attacker finds the vulnerability before the developer does (or while the developer is aware of but has
neglected or been unable to fix it).
The attacker writes an exploit while the vulnerability is either not known to the developer or known but still notclosed (e.g., due to an internal assessment of the threat's potential damage costs being lower than the costs of
developing a fix), usually also using and distributing it.
The developer or the public becomes aware of the exploited vulnerability and the developer is forced to start
working on a fix, if still not working on one.
The developer releases the fix.
Conceptually, there is one more event in the zero-day attack time line, which is the users applying the fix, effectively
closing the vulnerability window, but that can vary, as some users may simply stop using the affected software as
soon as the problem surfaces. Meanwhile, others may never know of it at all, thus never fixing it and thereby keeping
the vulnerability window open. Thus, the vulnerability window's length is usually just measured until the developer
releases the fix.
Measuring the length of the vulnerability window can be difficult, as attackers do not announce when the
vulnerability was first discovered. Developers may not want to distribute such information for commercial or
security reasons. Developers also may not know if the vulnerability is being exploited when they fix it, and so may
not record the vulnerability as a zero-day attack. By one estimate, "hackers exploit security vulnerabilities in
software for 10 months on average before details of the holes surface in public," i.e., the average vulnerability
window of a zero-day exploit is about 10 months.[4]
However, it can be easily shown that this window can be several
years long. For example, in 2008, Microsoft confirmed a vulnerability in Internet Explorer, which affected some
versions that were released in 2001.[5]
The date the vulnerability was first found by an attacker is not known;
however, the vulnerability window in this case could have been up to 7 years. Some windows may never be closed,
for example if they are hardwired in a device, requiring its replacement or the installation of additional hardware to
protect the device from exploitation.
http://en.wikipedia.org/w/index.php?title=Microsofthttp://en.wikipedia.org/w/index.php?title=Internet_Explorerhttp://en.wikipedia.org/w/index.php?title=Internet_Explorerhttp://en.wikipedia.org/w/index.php?title=Microsofthttp://en.wikipedia.org/w/index.php?title=Malwarehttp://en.wikipedia.org/w/index.php?title=Trojan_horse_%28computing%29http://en.wikipedia.org/w/index.php?title=Computer_virushttp://en.wikipedia.org/w/index.php?title=Computer_wormhttp://en.wikipedia.org/w/index.php?title=United_States_Computer_Emergency_Readiness_Teamhttp://en.wikipedia.org/w/index.php?title=Vector_%28malware%29http://en.wikipedia.org/w/index.php?title=Vulnerability_%28computing%29http://en.wikipedia.org/w/index.php?title=Malwarehttp://en.wikipedia.org/w/index.php?title=Attack_%28computing%29http://en.wikipedia.org/w/index.php?title=Exploit_%28computer_security%29http://en.wikipedia.org/w/index.php?title=Application_softwarehttp://en.wikipedia.org/w/index.php?title=Vulnerability_%28computing%29http://en.wikipedia.org/w/index.php?title=Threat_%28computer%298/22/2019 Zero Day Attack
2/5
Zero-day attack 2
Discovery
A special type of vulnerability management process focuses on finding and eliminating zero-day weaknesses. This
unknown vulnerability management lifecycle is a security and quality assurance process that aims to ensure the
security and robustness of both in-house and third party software products by finding and fixing unknown (zero-day)
vulnerabilities. The unknown vulnerability management process consists of four phases: analyze, test, report and
mitigate.[6]
Analyze: this phase focuses on attack surface analysis
Test: this phase focuses on fuzz testing the identified attack vectors
Report: this phase focuses on reporting of the found issues to developers
Mitigate: this phase looks at protective measures explained below
Protection
Zero-day protection is the ability to provide protection against zero-day exploits. Zero-day attacks can also remain
undetected after they are launched.[7]
Many techniques exist to limit the effectiveness of zero-day memory corruption vulnerabilities, such as buffer
overflows.[citation needed]
These protection mechanisms exist in contemporary operating systems such as Microsoft
Windows 8, Windows 7, Windows Vista, Apple's Mac OS X, recent Oracle Solaris, Linux and possibly other Unix
and Unix-like environments; Microsoft Windows XP Service Pack 2 includes limited protection against generic
memory corruption vulnerabilities.[8]
Desktop and server protection software also exists to mitigate zero day buffer
overflow vulnerabilities.[citation needed]
"Multiple layers" provides service-agnostic protection and is the first line of defense should an exploit in any one
layer be discovered. An example of this for a particular service is implementing access control lists in the service
itself, restricting network access to it via local server firewalling (i.e., IP tables), and then protecting the entire
network with a hardware firewall. All three layers provide redundant protection in case a compromise in any one of
them occurs.
The use of port knocking or single packet authorization daemons may provide effective protection against zero-day
exploits in network services. However these techniques are not suitable for environments with a large number of
users.
Engineers and vendors such as Gama-Sec in Israel and DataClone Labs in Reno, Nevada are attempting to provide
support with the Zeroday Project,[9]
which purports to provide information on upcoming attacks and provide support
to vulnerable systems.
Keeping the computers software up-to-date is very important as well and it does help.
Users need to be careful when clicking on links or opening email attachments with images or PDF files, even if the
sender is someone they know. This is how many cyber criminals deceive users, by pretending they are something
they are not and gaining the users trust, as well as having a virus or other malware email copies of itself to the
address lists of infected victims.
Utilize sites with Secure Socket Layer (SSL), which secures the information being passed between the user and the
visited site.
http://en.wikipedia.org/w/index.php?title=Secure_Socket_Layerhttp://en.wikipedia.org/w/index.php?title=Port_knockinghttp://en.wikipedia.org/w/index.php?title=Ip_tableshttp://en.wikipedia.org/w/index.php?title=Firewall_%28computing%29http://en.wikipedia.org/w/index.php?title=Access_control_listhttp://en.wikipedia.org/wiki/Citation_neededhttp://en.wikipedia.org/w/index.php?title=Windows_XPhttp://en.wikipedia.org/w/index.php?title=Unix-likehttp://en.wikipedia.org/w/index.php?title=Unixhttp://en.wikipedia.org/w/index.php?title=Linuxhttp://en.wikipedia.org/w/index.php?title=Solaris_%28operating_system%29http://en.wikipedia.org/w/index.php?title=Oracle_Corporationhttp://en.wikipedia.org/w/index.php?title=Mac_OS_Xhttp://en.wikipedia.org/w/index.php?title=Apple_Inc.http://en.wikipedia.org/w/index.php?title=Security_and_safety_features_new_to_Windows_Vistahttp://en.wikipedia.org/w/index.php?title=Windows_7http://en.wikipedia.org/w/index.php?title=Windows_8http://en.wikipedia.org/w/index.php?title=Microsofthttp://en.wikipedia.org/wiki/Citation_neededhttp://en.wikipedia.org/w/index.php?title=Buffer_overflowshttp://en.wikipedia.org/w/index.php?title=Buffer_overflowshttp://en.wikipedia.org/w/index.php?title=Fuzz_testinghttp://en.wikipedia.org/w/index.php?title=Attack_surfacehttp://en.wikipedia.org/w/index.php?title=Vulnerability_management8/22/2019 Zero Day Attack
3/5
Zero-day attack 3
Ethics
Differing views surround the collection and use of zero-day vulnerability information. Many computer security
vendors perform research on zero-day vulnerabilities in order to better understand the nature of vulnerabilities and
their exploitation by individuals, computer worms and viruses. Alternatively, some vendors purchase vulnerabilities
to augment their research capacity. An example of such a program is TippingPoint's Zero Day Initiative.[10]
While
selling and buying these vulnerabilities is not technically illegal in most parts of the world, there is much controversy
over the method of disclosure. A recent German decision to include Article 6 of the Convention on Cybercrime and
the EU Framework Decision on Attacks against Information Systems may make selling or even manufacturing
vulnerabilities illegal.
Most formal efforts follow some form of RFPolicy disclosure guidelines or the more recent OIS Guidelines for
Security Vulnerability Reporting and Response.[11]
In general these rules forbid the public disclosure of
vulnerabilities without notification to the developer and adequate time to produce a patch.
Footnotes
[3] "E-mail Residual Risk Assessment" Avinti, Inc., p. 2 http:/
/
avinti.
com/
download/
case_studies/
whitepaper_email_residual_risk.
pdf[6] Anna-Maija Juuso and Ari Takanen Unknown Vulnerability Management, Codenomicon whitepaper, October 2010 (http://www.
codenomicon.com/solutions/unknown-vulnerability-management/).
[11] http://www.oisafety.org/guidelines/secresp.html
References
Messmer, Ellen,Is Desktop Antivirus Dead? (http://pcworld.com/article/id,130455/article.html),PC World,
April 6, 2007.
Naraine, Ryan,Anti-Virus Is Dead, D-E-A-D, Dead! (http://securitywatch.eweek.com/virus_and_spyware/
antivirus_is_dead_dead_dead.html), eWeek, December 1, 2006.
Mediati, Nick,Do You Speak Securitese? Five Security Terms You Should Know (http:/
/
www.
itnews.
com/security/39705/do-you-speak-securitese-five-security-terms-you-should-know?page=0,1),PC World, December
2, 2011.
External links
0-Day Patch - Exposing Vendors (In)security Performance (http://www.techzoom.net/publications/
0-day-patch/index.en) from techzoom.net
Attackers seize on new zero-day in Word (http://www.infoworld. com/article/07/02/15/HNzerodayinword_1.
html) from InfoWorld
PowerPoint Zero-Day Attack May Be Case of Corporate Espionage (http://www.foxnews.com/story/
0,2933,204953,00.html) from FoxNews
Microsoft Issues Word Zero-Day Attack Alert (http://www.eweek.com/article2/0,1895,2068786,00.asp) from
eWeek
Windows zero-day attack works on all Windows systems (http://nakedsecurity.sophos.com/2010/07/17/
windows-zero-day-attack-works-on-all-windows-systems/) referring to Advisory 2286198 (http://www.
microsoft.com/technet/security/advisory/2286198.mspx) reported on 16 July 2010
Zero-day exploit used in a targeted attack (http://labs.m86security.com/2011/06/
0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/) referring to MS11-050 (http://www.microsoft.com/
technet/security/Bulletin/MS11-050.mspx) from M86 Security Labs
How to protect against zero-day attacks (http://www.biztechmagazine.com/article/2007/02/
zero-day-sucker-punch) from BizTech
http://www.biztechmagazine.com/article/2007/02/zero-day-sucker-punchhttp://www.biztechmagazine.com/article/2007/02/zero-day-sucker-punchhttp://www.biztechmagazine.com/article/2007/02/zero-day-sucker-punchhttp://www.biztechmagazine.com/article/2007/02/zero-day-sucker-punchhttp://www.microsoft.com/technet/security/Bulletin/MS11-050.mspxhttp://www.microsoft.com/technet/security/Bulletin/MS11-050.mspxhttp://labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/http://labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/http://www.microsoft.com/technet/security/advisory/2286198.mspxhttp://www.microsoft.com/technet/security/advisory/2286198.mspxhttp://nakedsecurity.sophos.com/2010/07/17/windows-zero-day-attack-works-on-all-windows-systems/http://nakedsecurity.sophos.com/2010/07/17/windows-zero-day-attack-works-on-all-windows-systems/http://www.eweek.com/article2/0,1895,2068786,00.asphttp://www.foxnews.com/story/0,2933,204953,00.htmlhttp://www.foxnews.com/story/0,2933,204953,00.htmlhttp://www.infoworld.com/article/07/02/15/HNzerodayinword_1.htmlhttp://www.infoworld.com/article/07/02/15/HNzerodayinword_1.htmlhttp://www.techzoom.net/publications/0-day-patch/index.enhttp://www.techzoom.net/publications/0-day-patch/index.enhttp://www.itnews.com/security/39705/do-you-speak-securitese-five-security-terms-you-should-know?page=0,1http://www.itnews.com/security/39705/do-you-speak-securitese-five-security-terms-you-should-know?page=0,1http://securitywatch.eweek.com/virus_and_spyware/antivirus_is_dead_dead_dead.htmlhttp://securitywatch.eweek.com/virus_and_spyware/antivirus_is_dead_dead_dead.htmlhttp://pcworld.com/article/id,130455/article.htmlhttp://www.oisafety.org/guidelines/secresp.htmlhttp://www.codenomicon.com/solutions/unknown-vulnerability-management/http://www.codenomicon.com/solutions/unknown-vulnerability-management/http://avinti.com/download/case_studies/whitepaper_email_residual_risk.pdfhttp://en.wikipedia.org/w/index.php?title=RFPolicyhttp://en.wikipedia.org/w/index.php?title=Convention_on_Cybercrimehttp://en.wikipedia.org/w/index.php?title=Computer_worm8/22/2019 Zero Day Attack
4/5
Zero-day attack 4
Zero-Day Exploits in the light of Stuxnet and the US government (https://www.schneier.com/blog/archives/
2012/06/the_vulnerabili.html) by Bruce Schneier
https://www.schneier.com/blog/archives/2012/06/the_vulnerabili.htmlhttps://www.schneier.com/blog/archives/2012/06/the_vulnerabili.html8/22/2019 Zero Day Attack
5/5
Article Sources and Contributors 5
Article Sources and ContributorsZero-day attack Source: http://en.wikipedia.org/w/index.php?oldid=563676305 Contributors: 0day, 2001:44B8:1117:4D00:74C2:C997:DC05:6F83, 84user, Akadruid, Alaerts, Aleron235,
Alkivar, Anonymous editor, Ari.takanen, Ary29, AtomikWeasel, Audiodude, Azazello, Bdr9, Behlal, Beland, Brian Kendig, Bueller 007, Bunnyhop11, Camahuetos, Chris Love, Contentasaurus,
Coredesat, Cotties, Courcelles, Crookdw, CyberknightMK, Damian Yerrick, David Woodward, Dingevaldson, Dismas, Djr13, Domdadomin8r, Donner60, Dotancohen, Drhlajos, Dxco, ElKevbo,
Ellmist, Endareth, Enderandpeter, EneMsty12, Erik9, Falcon9x5, Fama Clamosa, Father Goose, Flip69, Fraggle81, Gary King, Gijs Kruitbosch, Gioto, Gracefool, Graffitiknight, Guriaz, Hadal,
Hatster301, Highollow, I5bala, InternetMeme, Itzuvit, Ivhtbr, J.delanoy, JJFitz, JYi, Jake Nelson, Jehoshaphat, Jerryobject, Jesse Viviano, John254, JonHarder, Julesd, Kai, Keepsleeping,
Killpolice.com, Kilva, Knverma, Kozuch, Kuru, Latiligence, LaughingMan, Leotohill, Lotje, Luna Santin, MC10, MacStep, MasterCheese, Maximilian Schnherr, Mchcopl, Meegs, Metaprimer,
Michael Frind, Mike A Quinn, Mindmatrix, Mkidson, Mrzaius, Ms2ger, Nabla, Ninly, Nurg, Nux, Onebyone, Oni Ookami Alfador, OrenBochman, Osric, Pabouk, Pastore Italy, Pauli133, Pengo,Philipdybel, PinchasC, Pip2andahalf, Pradameinhoff, Radiojon, Ransack, Rd232 public, Rilr, Rjwilmsi, RockMFR, Ronz, Roujo, SHCarter, Sade, Sam Hocevar, SchmuckyTheCat, Scott Ritchie,
Scs, Sensiblekid, Sietse Snel, Simetrical, Skylights76, Socrates2008, Sonicsuns, Staecker, Tentinator, The Anome, Tide rolls, Tobias Bergemann, Touisiau, Tregoweth, Unixguy, Vickryan,
Virexmachina, Vovtz, Vupen, WalterGR, Waltke, WhyBeNormal, Wikipelli, Yashartha Chaturvedi, Yn crystal, Zarniwoot, Zer0xDay, Zeroday, Zuohaocheng, 230 anonymous edits
License
Creative Commons Attribution-Share Alike 3.0 Unported//creativecommons.org/licenses/by-sa/3.0/