What is a Zero-Day Exploit?
Zero-day exploits are among the most dangerous threats in IT security. They exploit previously unknown vulnerabilities in software for which no protective measures yet exist, which makes them particularly insidious. This type of attack is often used by hackers, but also by secret services, to compromise systems undetected. In this article, you will learn how zero-day exploits work, what forms they can take and how you can best protect yourself against them.
A zero day is a vulnerability in software that is not yet known to the manufacturer and for which no patch or fix is yet available. In other words, the manufacturer has had ‘zero days’ to fix the vulnerability, because they didn’t know it existed. An exploit is the code or technique used to exploit this vulnerability.
A zero-day exploit is therefore an attempt to utilise such a vulnerability. Accordingly, we refer to a zero-day attack when the affected system is threatened by a zero-day exploit. Hackers and state actors like to keep zero-day exploits secret so that they can be utilised for a long time or sold at the right time for a profit.
Such vulnerabilities can remain undiscovered for months or years before they are discovered. During this time, attackers can steal or copy data and damage sensitive systems until the manufacturer recognises and fixes the error.
How does a zero-day exploit work?
In a zero-day exploit, an unknown vulnerability in software is utilised. In most cases, the aim is to execute unauthorised code or bypass security mechanisms. This requires three things:
To discover vulnerabilities, hackers either use ‘fuzzing’, i.e. automated testing with random data, or they manually analyse existing code using reverse engineering.
If a vulnerability is found, code is written with the aim of gaining administrator rights or directly tapping into data, for example.
Once the malicious code has been tested, it is ‘packaged’, i.e. embedded in a PDF document, a website or an Office document, and sent to the victims.
What types of zero-day exploits are there?
The most common zero-day exploits include:
Remote Code Execution (RCE)
The starting point for attacks using Remote Code Execution is usually a vulnerability in a publicly accessible application that enables the execution of malware and thus the execution of unwanted commands on the underlying computer.
Privilege escalation
Privilege escalation refers to the unauthorised elevation of privileges assigned to a logged-in user who belongs to a specific privilege group. Example: An attacker has access to a simple user account and uses the exploit to gain root rights.
Zero-click exploits
A zero-click exploit is designed to work without user interaction. Most zero-click exploits attempt to exploit vulnerabilities in applications that accept and process untrusted data. These exploits are particularly dangerous on smartphones, for example via iMessage, WhatsApp or MMS.
Sandbox escape
A sandbox exploit is the use of a vulnerability in software to break out of a secure or quarantined environment – the sandbox.
Supply chain exploit
A supply chain exploit is not directed against the actual target, but against supporting processes in which there is a certain amount of trust. The attack itself is therefore directed against third parties and can be directed against people/companies as well as hardware or software.
Network exploits
The exploits target network services such as RDP, VPNs or routers and can be carried out via a network connection.
File-based exploits
These exploits are embedded in files, such as Word documents, PDF documents or ZIP files.
Web exploits
Web exploits target the browser or web plugins (Flash, PDF, JavaScript) and are often triggered by visiting websites.
Zero-day vulnerability in Google Chrome 2021
In 2021, a critical zero-day vulnerability was discovered in Google Chrome that was actively exploited. The vulnerability, known as CVE-2021-30563, affected the JavaScript engine V8 and allowed attackers to execute arbitrary code on the affected systems through specially crafted websites. Google responded immediately with a security update for Windows, macOS and Linux to close the gap. Users were urged to update their browsers to version 91.0.4472.164 to prevent potential attacks.
Zero-day exploits and email security
In terms of email and email security, infected attachments (e.g. a PDF or Office document or HTML attachments) are the main gateway for zero-day exploits. However, links in emails that lead to infected websites are also used by criminals.
Spear fishing is often used to prepare such attacks. These targeted attacks are intended to persuade victims to perform certain actions or to disclose information. The challenge for the criminals is always to establish credibility, and they succeed.
Why is a zero-day exploit dangerous?
A zero-day exploit is so dangerous because it is a secret door into a system that nobody but the attacker knows about. As the vulnerability is not yet known, there are also no countermeasures – attacks can therefore take place without any defence: no updates, patches, warnings or similar are available at the time of the attack.
Many victims are not aware that they are being attacked. This allows criminals to take over systems undisturbed, steal data, infiltrate networks and much more.
Accordingly, zero-day exploits have a high value for criminals: the exploits are traded for up to several million dollars and sold on the darknet, and in many cases bought by secret services.
However, there is also legal trade in zero-day exploits, as providers such as Google Project Zero or CrowdStrike pay large sums of money to track down vulnerabilities as part of bug bounty programmes.
How can zero-day exploits be prevented?
In principle, zero-day attacks cannot be prevented, because if you were aware of the existence of a vulnerability, you would eliminate it. However, there are ways of minimising the risk of an attack and containing the possible consequences:
Not yet using NoSpamProxy?
With NoSpamProxy you can reliably protect your company from scamming attacks and benefit from many other security functions. Request your free trial version now!
