Understanding Zero-Day Vulnerabilities & Attacks

  • February 22, 2018

In computer science, a vulnerability is considered to be a zero-day vulnerability if it’s unknown to all parties interested in patching it, such as:

  • The team maintaining the project
  • The users of the project
  • Vulnerability researchers

Vulnerability researchers are the good guys – people who won’t take advantage of the vulnerability for their own gain and who will exercise responsible disclosure.

Let’s illustrate this concept with a small example.

Zero-Day Vulnerability Example

Let’s say I’m the only maintainer of a WordPress premium plugin with a small user base and I recently rolled out an update containing a vulnerability to all my plugin users.

In this example, I don’t have code audits by other developers, which is really bad, and this vulnerability was not picked up by neither my manual or automatic tests. To complement this bad scenario, not a single user of my plugin cared enough to audit the new code either. So this vulnerability is just sitting there, unnoticed.

Is this a zero-day vulnerability? Yes, it is!

If an attacker learns about this vulnerability, it won’t change anything since the attacker won’t be interested in the patching of it; however, they will be interested in exploiting it.

This last turn in our hypothetical scenario is actually common in real life and helps us see with clarity the enormous risk zero-day vulnerabilities introduce to our website.

Zero-Day Attacks

As in our last example, when the bad actors learn about a security vulnerability before the project’s maintainers, users, and vulnerability researchers do, things can get ugly really fast.

Attackers love zero-day vulnerabilities because, with no security patch to stop them, the only thing in their way is the level of exploitability the vulnerability allows. Some vulnerabilities require a certain amount of privileges in order to be exploited – but then again, this depends on the vulnerability.

Attackers are really proactive when it comes to testing if a website is vulnerable or not to specific attack vectors. If this wasn’t enough, attackers are also big fans of automatization, which allows them to scan the internet looking for websites matching specific vulnerabilities and conditions.

How to Protect and Recover Your Website from Zero-Day Attacks

We can hit you all day with pieces of advice on how to keep all your software updated, how to only install what’s necessary because every piece of code added to your system has the potential to be a risk, or how to keep file permissions really tight on your web server and others. You can read about the top 10 tips to improve your website security here.

The truth is that those security best practices should be complemented with other security controls in order to reduce the attack surface even more!

WAFs (Website Application Firewalls) are great to prevent zero-day vulnerability exploitations because they leverage defensive mechanisms that allow them to block the behavior that is known to be malicious.

It’s important to acknowledge the fact that WAFs are not perfect and can be bypassed when a zero-day vulnerability exploits an attack vector that is not yet handled by any of the WAF’s rules. These cases are really rare, and part of our job as a security company is to keep our WAF always ahead of emerging threats. In fact, we’re very proud to say that when we discover a zero-day vulnerability being exploited in the wild, more often than not, the Sucuri Firewall was already blocking it.

It makes a lot of sense, however, to have a plan in case your website gets hacked.

Recovering a Hacked Website

You can read our guide on How to Clean a Hacked Website for a better understanding of the steps involved to restore your website back to normal.

Remember that recovering your site from a hack is easy when you have a dedicated security team you can count on. However, if you don’t have a plan at all, it can be very difficult to address a security breach.

If you believe your website has been compromised by a zero-day attack and need assistance cleaning up your website, we’re always happy to help.

Our researchers work day and night to be ahead of website threats so that you don’t have to worry about it anymore. If you are looking for a robust website security solution, we offer you a complete platform.

Gerson Ruiz is Sucuri’s Software Development Engineer who joined the company in 2017. Gerson’s main responsibilities include writing software to improve our customer's experience. When Gerson isn’t writing code, you might find him playing with his two beautiful dogs Spock and Dinki. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like