Zero Day Attacks and How to Protect Against Them?
Author: Artyom Litvin
What is a zero day attack?
Zero day is a broad term that describes newly discovered security vulnerabilities that hackers can use to attack systems.
A zero day attack occurs when hackers exploit a vulnerability before the developers have time to fix it. The term refers to a vulnerability or attack that becomes publicly known before a software vendor releases bug fixes. That is, the vulnerability can potentially be exploited on running copies of the application and the developers have zero days to fix this vulnerability.
Zero day vulnerabilities lead to the emergence of new ways of spreading malicious code, which is actively used by cybercriminals to create an effective infection mechanism. Mass-use products, such as the popular Adobe Reader, etc., pose the greatest risk to users.
Examples of real-life zero-for vulnerabilities
1) Zero Day Vulnerability in Windows
On November 22, 2021, a researcher posted on GitHub a working exploit for the Windows zero day vulnerability CVE-2021-41379, with which a local user having limited rights can elevate privileges to the SYSTEM level. The vulnerability still, as it turns out, has not been completely fixed by developers and all versions of Windows supported by Microsoft are affected, including Windows 10, Windows 11, and even Windows Server 2022. Using this vulnerability, it is really possible to get local administrator rights to the system in a few seconds even with the latest and most updated version of Windows 10 21H1 build 19043.1348 with all patches. The developer explained that his exploit also works if the PC is in the active directory domain. It bypasses the established group policies from the Windows Server 2022 server, for example, preventing standard users from performing MSI installer operations.
2) Extremely Critical Hole in Microsoft Word 2000
Microsoft has notified users of a new zero day vulnerability in the Microsoft Word 2000 editor. The vulnerability allowed an attacker to execute arbitrary program code on the attacked machine. It is enough for the victim to open a specially formatted DOC file that is incorrectly processed by a text editor, after which the hacker gets full access to the system. Vulnerabilities were assigned the status of Extremely Critical. The error has already been described on the Microsoft website, although the company is trying to downplay the danger of this hole.
3) Older PowerPoint Formats Are Vulnerable to Zero Day Attacks
Microsoft warns about cases of hacker attacks through files in the PPT format of old versions. The company’s specialists learned about the new hole after the appearance of the exploit (even several exploits) and after the start of distribution of infected files. Therefore, this is a zero day vulnerability for which there is no patch yet.
The vulnerability affects the PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 file formats, as well as Office 2004 for Mac. After a user opens an infected file, PowerPoint accesses the “wrong” object in RAM and the malicious program gains the rights to execute any code and starts downloading Trojans from the Internet.
Problems with investigating a zero day
There are many blind spots in the process of studying zero days, reasons for their use, and methods of exploitation. We may not be aware of all really innovative methods of attacking software and services. Although practice shows that attack organizers also try to save resources.
One of the most important ‘white spots’ is the features of the exploits themselves, or rather the lack of information about them. In some cases, it is simply not there, while in other the data is not disclosed. The availability of exploits for researchers makes it possible to study not only the vulnerabilities themselves, but also the attack methods that make life difficult for organizers of these attacks. Disclosing such information is not always a good move. On the one hand, the exchange of information in the information security industry helps enhance protection. On the other hand, public exploits often lead to massive attacks on software that is not always patched on time.
Ways to protect against zero day attacks
In the classical definitions of zero day threats, it is emphasized that they include those threats against which the means of protection have not yet been developed. However, it is not true to life. To eliminate threats, it is often necessary to install security patches – updates to the programs used – and regularly update the protection system. Therefore, in reality, actual threats are not only those against which there is no protection, but also those against which protection is already available, but not used.
Due to the use of special technologies, 0-day threats cannot be detected by classic antivirus technologies. Products based on classical anti-virus technologies show poor results in dynamic anti-virus tests. However, if you do not neglect downloading antivirus updates, you can increase your chances of coping with the threat.
Any software may have security vulnerabilities. Hence, it is always necessary to check the relevance of the software version you use to reduce the risks of exploiting legacy vulnerabilities. Software vendors are not required to provide security updates for unsupported products. This is the second part of our cybersecurity series that I prepared in cooperation with my team, namely Maksim Martsinkevich, our Team Lead, and Ivan Shyshkou.
Stay tuned to discover more about cyber security and read the first part about it here.