Zero day attack

A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit unknown, undisclosed or patchfree computer application vulnerabilities. The term Zero Day is also used to describe unknown or Zero day viruses.

Zero-day exploits are released before the vendor patch is released to the public. Zero-day exploits generally circulate through the ranks of attackers until finally being released on public forums. The term derives from the age of the exploit. A zero-day exploit is usually unknown to the public and to the product vendor [ [http://netsecurity.about.com/od/newsandeditorial1/a/aazeroday.htm About Zero Day Exploits] ] .

The term "zero-day" can also be used to describe warez-group releases of pirated software on or before the release of the software. [ [http://www.tech-faq.com/0-day.shtml What is 0-day? ] ]

Attack vectors

Malware writers are able to exploit zero-day vulnerabilities through several different attack vectors. For example, when users visit rogue (or black hat) Web sites, code on the site may exploit vulnerabilities in Web browsers. Web browsers are a particular target because of their widespread distribution and usage. Hackers can also send e-mail attachments via SMTP, which exploit vulnerabilities in the application opening the attachment [ [http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005117 "SANS sees upsurge in zero-day Web-based attacks", "Computerworld"] ] . Exploits that take advantage of common file types are numerous and frequent, as evidenced by their increasing appearances in databases like US-CERT. Users with malicious intent can engineer malware to take advantage of these file type exploits to compromise attacked systems or steal confidential data ["E-mail Residual Risk Assessment" Avinti, Inc., p. 2 http://avinti.com/download/case_studies/whitepaper_email_residual_risk.pdf] .

Vulnerability window

Zero-day attacks occur when a vulnerability window exists between the time a threat is released and the time security vendors release patches.fact|date=August 2007

For viruses, Trojans and other zero-day attacks, the vulnerability window follows this timeline:
*Release of new threat/exploit into the wild
*Detection and study of new exploit
*Development of new solution
*Release of patch or updated signature pattern to catch the exploit
*Distribution and installation of patch on user's systems or updating of virus databases

This process can last hours or days, during which networks experience the so-called vulnerability window. One report estimates the 2006 vulnerability window at 28 days ["Internet Security Threat Report" Symantec Corp, Vol. X, Sept. 2006, p. 12] .

Protection

Zero-day protection is the ability to provide protection against zero-day exploits. Zero-day attacks also can remain undetected after they are launched [ [http://what-is-what.com/what_is/zero_day_exploit.html What is a Zero-Day Exploit?] ] .

Many techniques exist to limit the effectiveness of zero-day memory corruption vulnerabilities, such as buffer overflows.Fact|date=August 2007 These protection mechanisms exist in contemporary operating systems such as Apple's Mac OS X, Microsoft Windows Vista [http://en.wikipedia.org/wiki/Security_and_safety_features_new_to_Windows_Vista] , Sun Microsystems Solaris, GNU/Linux, Unix, and Unix-like environments; Microsoft Windows XP Service Pack 2 includes limited protection against generic memory corruption vulnerabilities [ [http://microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx Changes to Functionality in Microsoft Windows XP Service Pack 2] ] . Desktop and server protection software also exists to mitigate zero day buffer overflow vulnerabilities.Fact|date=August 2007

The use of Port knocking or Single Packet Authorization daemons may provide effective protection against zero-day exploits. However these techniques are not suitable for environments with a large number of users.

Whitelisting technology effectively protects against zero day threats. Whitelisting will only allow known good applications to access a system and so any new or unknown exploits are not allowed access. Although whitelisting is effective against zero-day attack, unless it is combined with other methods of protection such as HIPS or a blacklist of virus definitions it can sometimes be quite restrictive to the user.

The Zeroday Emergency Response Team, or ZERT [ [http://isotf.org/zert/ Zeroday Emergency Response Team] ] is a group of software engineers who work to release non-vendor patches for zero-day exploits.

Another method to avoid zero day attacks is to wait for a reasonable period of time before upgrading the product. Exploits are often addressed in a timely manner by the software vendor. The fix can then be included as part of the upgrade/update process.

Ethics

Differing views surround the collection and use of zero-day vulnerability information. Many computer security vendors perform research on zero-day vulnerabilities in order to better understand the nature of vulnerabilities and their exploitation by individuals, computer worms and viruses. Alternatively, some vendors purchase vulnerabilities to augment their research capacity. An example of such a program is [http://www.zerodayinitiative.com TippingPoint's Zero Day Initiative] . While selling and buying these vulnerabilities is not technically illegal in most parts of the world, there is a lot of controversy over the method of disclosure. A recent German decision to include Article 6 of the Convention on Cybercrime and the EU Framework Decision on Attacks against Information Systems may make selling or even manufacturing vulnerabilities illegal.

Most formal efforts follow some form of RFPolicy disclosure guidelines or the more recent [http://www.oisafety.org/guidelines/secresp.html OIS Guidelines for Security Vulnerability Reporting and Response] . In general these rules forbid the public disclosure of vulnerabilities without notification to the vendor and adequate time to produce a patch.

Pirated software

Zero day warez refers to software, videos, music, or information unlawfully released or obtained on the day of public release. Items obtained pre-release are sometimes labeled "Negative day" or "-day". Zero-day software, games, videos and music refers to the content that has been either illegally obtained or illegally copied on the day of the official release. These are usually works of a hacker or an employee of the releasing company.

ee also

*Access Control
*Intrusion-prevention system
*Network Access Protection
*Network Access Control
*Network Admission Control
*Targeted attacks

Footnotes

References

*Messmer, Ellen, [http://pcworld.com/article/id,130455/article.html "Is Desktop Antivirus Dead?"] , "PC World", April 6, 2007.
*Naraine, Ryan, [http://securitywatch.eweek.com/virus_and_spyware/antivirus_is_dead_dead_dead.html "Anti-Virus Is Dead, D-E-A-D, Dead!"] , "eWeek", December 1, 2006.

External links

* [http://cve.mitre.org Common Vulnerability and Exposure database]
* [http://www.us-cert.gov US-CERT vulnerability database]
* [http://research.eeye.com/html/alerts/zeroday/index.html Zero Day Vulnerability Archive] by eEye
* [http://secunia.com/product/ Lists of advisories by product] Lists of currently unpatched vulnerabilities, by Secunia
*Examples of zero-day attacks:
** [http://www.infoworld.com/article/07/02/15/HNzerodayinword_1.html Attackers seize on new zero-day in Word] from InfoWorld
** [http://www.foxnews.com/story/0,2933,204953,00.html PowerPoint Zero-Day Attack May Be Case of Corporate Espionage] from FoxNews
** [http://www.eweek.com/article2/0,1895,2068786,00.asp Microsoft Issues Word Zero-Day Attack Alert] from eWeek