Keeping an ear out for new vulnerabilities is part of the daily routine for those of us in the IT/cybersecurity world. But when we see a new one, how do we know if it’s a “drop your coffee and get to it” type of scenario or not? One keyword to help is “zero-day”. Sounds pretty intense. Let’s explain it!
What does Zero-Day mean?
Zero-day is the identifier for “a vulnerability in a system or device that has been disclosed but is not yet patched.” That’s because, according to Wired, “The term "zero-day" refers to the number of days that the software vendor has known about the hole.” As you can imagine, this can be cause for concern since it can’t be patched, leaving systems vulnerable to exploitation by the bad guys.
What can I do in response to a Zero-Day?
Unfortunately, it can feel frustrating to see a zero-day when you know there’s no fix to implement. The good news is, even though no patch is released, sometimes there are other actions that the researcher offers to mitigate the possibility of an exploit. These workarounds are still temporary, of course, and may not be fully effective against exploits. One typical workaround can be disabling a specific function within the software. Otherwise, the best thing you can do is keep an ear to the ground so you know when a patch is available. That way you are ready to roll it out quickly.
Are all Zero-Day vulnerabilities the same?
Simply put, no. All zero-days are the same in that they are open to exploitation without a patch. But they can be different in nearly every other way. First, remember to check the CVSS score for that vulnerability. This is your primary indication of criticality. Secondary indicators might include if it’s being actively exploited or not, the ease of exploitation (if discussed by the entity disclosing the vulnerability), and the type of vulnerability itself (Remote Code Execution, privilege escalation, etc.). Often vulnerabilities can even be used in combination to achieve access to a system. These factors are variable and it’s tough to quantify specific risk from them, but it’s still helpful information to aid in decision-making and prioritization.
What is an example of a recent Zero-Day vulnerability?
At the end of last year, the Log4j vulnerability was top of everyone’s mind. Apache quickly released a patch for the initial vulnerability, but unfortunately that update contained a new vulnerability. Apache released another patch, and that one contained two new critical vulnerabilities. This is an example of zero-day vulnerabilities that the vendor quickly produces a patch for, which is not always the case.
What else would you like to know about zero-days? Comment below to let us know!
See ya next time!
Jessica Starkey | Technical Marketing Engineer