Zero-Day Doom and Gloom
When recent vulnerabilities like log4j and Spring4Shell were first reported, I heard them described with the words “zero-day”. It sounds pretty dark, like the beginning of the zombie apocalypse or something. Can you give me more context?
Feeling Gloomy about Zero Day
Hi Feeling Gloomy about Zero Day,
You are definitely right that any phrase beginning with “zero-day” is far from positive. There are three different terms you’ll hear preceded by “zero-day”: vulnerability, exploit and attack. Let’s break each of those down.
Defining Zero-Day Terms
A zero-day vulnerability is a software weakness that the vendor or developer of said software is not yet aware of. Because the vulnerability isn’t known, those responsible for the software haven’t had a chance to fix the issue. Zero-day vulnerabilities are named as such because the vulnerability has been known about for zero days. It’s also likely that these vulnerabilities will remain zero-day for some time before they are reported. Once someone reports the issue, which can be an external party or someone associated with the vendor, it is no longer considered a zero-day vulnerability.
A zero-day exploit occurs when someone creates a way to use that vulnerability for insidious purposes. It is usually bad actors who use zero-day exploits for their own gain, as there has been a market for zero-day exploits for many years now. On a positive note, there are ways to ethically report zero-day exploits. In 2021, two white-hat hackers (also called ethical hackers) found a Remote Code Execution (RCE) bug in Zoom during Pwn2Own, an annual hacking contest. They earned $200,000 for their discovery and saved Zoom and its users from a potential security issue.
After a zero-day exploit is available, the zero-day attack is the final piece of the puzzle. The exploit is then used to attack the vulnerability. The attack will vary depending on the nature of the vulnerability but is sure to cause damage.
How Can I Protect Myself?
Protecting yourself from every unknown vulnerability in every facet of your life isn’t always going to be possible. Fear not, there are some steps you can take to reduce your risk.
If you’re a developer, ensure that any OSS (open source software) components you’re using in your projects are not outdated and potentially more vulnerable to security threats. Using an SCA (software composition analysis) tool can help to reveal any security risk in your public OSS components.
Be mindful of the things that you download and install. If a link from an email or website doesn’t look right, or a download prompt appears that you don’t recognize, be cautious. Understanding social engineering tactics, like phishing, can make you more security conscious.
Here are some resources that might alleviate your anxiety. After recently reported vulnerabilities, we made guides for our customers to help them Find and Fix Spring4Shell and Log4j. While we share how to use Nexus Lifecycle to find these vulnerabilities, you may find the general information helpful. Our Sonatype Blog has a category just for vulnerabilities, so check it out for the latest news.
Can’t get enough of Sloan? Subscribe below, and let us know what topics you’d like Sloan to write about next in the comments below!
~ Making Cyber a Safer Space