Zero-day (zero-hour or day zero) vulnerabilities are previously unknown vulnerabilities that have not been revealed publicly but are exploited by attackers. Discovering and exploiting zero-day vulnerabilities helps cyber criminals to increase the success rate of attacks. Attacks using zero-day exploits are tough to identify and analyze because in many cases information is not available until attacks have already occurred. There is practically no protection against zero-day attacks as details of the vulnerability is usually a mystery when these attacks are first observed.
In a typical scenario, when a new vulnerability is found, the company who created the hardware or software is notified, and works to produce a fix in a sensible time. A security vulnerability is a programming error that escapes the testing phase. Attackers can sometimes identify the bug, exploit it, and wrap up the exploit with a malicious payload to carry out zero-day attacks against targets of their choice. Once the security community discovers and analyzes the vulnerability, details of the vulnerability are published in a public advisory, and the affected hardware or software vendor may release a patch to fix the issue at the same time as the disclosure. However, it can take some time for a software vendor to patch the security flaw as it has to go through the cycle of testing and quality assurance before it is released. In the meantime, security vendors update their antivirus and IPS signatures to detect the potential exploits or even the specific attacks seen in the wild.
The lifecycle of a zero-day vulnerability can be divided into the following phases:
- Attackers discover a vulnerability either through fuzzing or by accident.
- The attackers generate a working exploit that drops and executes a malicious binary on the system.
- The attackers use the exploit in attacks.
- Security vendors or researchers identify in-the-wild exploits through various monitoring applications or through customer submitted samples. If a security vendor becomes aware of the exploit first, the software vendor is notified before the information is made public.
- The vulnerability is revealed to the public, either by the software vendor or the security vendor.
- The security vendors release new signatures for antivirus and IPS products.
- The software vendors release a patch with the appropriate fixes.
Figure 1. Zero-day vulnerability lifecycle
Attackers take advantage of the vulnerability in the time between the publication of the vulnerability and the installation of the patch on affected systems. The exploitation of the vulnerability increases for a few days after the information goes public. Slowly, the exploitation decreases in the wild due to the deployment of antivirus and IPS signatures, and it becomes lower still after the vendor patches are deployed.
For the past ten months we have observed a number of zero-day vulnerabilities exploited in the wild for commonly installed software. The exploits used in these attacks allowed for remote code execution and demonstrated a high level of technical capability in the attackers.
A number of zero-day vulnerabilities were seen in use up to September 2012. In April 2012, we recognized several different types of malware that were used in combination with the Adobe Flash Player Object Type Confusion Vulnerability (CVE-2012-0779). Soon after, we noticed two other zero-day exploits related to the Microsoft Internet Explorer Same ID Property Vulnerability (CVE-2012-1875) and the Microsoft XML Core Services Vulnerability (CVE-2012-1889).
Figure 2. Notable zero-day exploits in April-September 2012
In September 2012, a zero-day exploit using the Microsoft Internet Explorer Image Arrays Use-After-Free Remote Code Execution Vulnerability (CVE-2012-4969) was discovered on a server associated with the Nitro hacking group. It was also noted that the same server was recently used to serve the Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2012-4681). We have also observed the usage of Flash (SWF) files using various exploits to drop malware including the following:
- Adobe Flash Player CVE-2012-0779 Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779)
- Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability (CVE-2012-1889)
- Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)
Zero-day exploits are highly sought after by cybercriminals and they expend considerable efforts to find them. The appearance of zero-day exploits can sometimes catch software vendors off guard as they do not necessarily expect their software to be probed and scrutinized intensely for vulnerabilities. However, security researchers are always keeping a lookout to try and keep exploit activity to a minimum. Leyla Bilge and Tudor Dumitra of Symantec Research Labs, recently wrote a paper entitled “An Empirical Study of Zero-day Attack in The Real World”. In it, they identified 18 vulnerabilities exploited in the real world before full disclosure. They detailed examples of vulnerabilities being exploited in the wild for an average of 312 days before petering out. They have created a useful study that measures the duration and prevalence of these attacks in the real world before the disclosure of the corresponding vulnerabilities, and it makes for an interesting read.