Zero Day vulnerabilities have a special place in the modern era. The Internet of Things (IoT) is our interconnectivity between devices that can be connected wirelessly. This includes Wi-Fi & Bluetooth on both stationary and mobile devices. In some cases, I would consider a laptop a form of mobile device when you connect to Wi-Fi at a coffee shop. If you are new to the world of tech, I will include some introduction in another story. For now, the major keys are that devices such as your phone and TV can now interact in ways unimagined at one point in time. This created the IoT and also created new avenues for malicious actors in society. You can sign in using your YouTube App in a world where passwords were getting to be an extremely weak authentication method. Vulnerabilities themselves are weaknesses and flaws in the design of a system that can lead to different attack vectors. Cyber-crime is not the focus here but in most cases Zero Days are used for such purposes. The overall goal is usually data theft that can lead to financial gains in systems that cannot be easily fixed for various reasons. Some common attacks: are Buffer Overflow, SQLi and a few others listed in the OWASP Top 10 Vulnerabilities. The OWASP Top 10 is updated yearly. Just to keep count, the Top10 already make up a large surface for attacks, not to mention the many options available to discover.
What is a Zero Day?
A Zero Day (also pronounced Oh Day) is a vulnerability exposed in an application, software or hardware system that was not previously known, or was exploited before a fix was available. Many of them are built off of previous patches to a system, rare in cases it is entirely new to the security world. Security Researchers are always finding new bugs and report them to companies but in other cases they are found and possibly used before anyone can patch them. A well-known Zero Day is Stuxnet.
The History and Landscape
A few major companies have exposed their vulnerabilities this year, among them Windows and Apple who dominate the industry of IoT devices (laptops, tablets or devices like Alexa). So where do these vulnerabilities come from? Let’s start with the Morris Worm of 1988, or maybe we can go back to The Creeper of the 1970s. These historic milestones gave way to the many ways the design of a computer can be leveraged for cyber-attacks. The Creeper was harmless, but the capability it showed has been used in malware for decades, the ability to self-replicate and pass to another computer system. There is a slight difference in a computer worm and virus. A worm can move about your network and transfer itself, such as the Creeper and Morris Worm. A virus is dependent on a host to be healthy and alive, just like in the human body. Viruses normally attach themselves to files or processes that can provide the authority for execution.
With that background on worms and viruses, you are ready to understand where the vulnerabilities we are going to list have come from. Some of these vulnerabilities abuse Buffer Overflows, some abuse the human element and allow access to internal resources.
Is Patching Easy?
The biggest dilemma companies face is when vulnerabilities are found at the lowest level is patching systems. After a security breach, the system Admins begin trying to prevent the next one. The solution usually lies in a few keystrokes that applies to all systems and users. Branching out, let’s pretext that the bug is in the email system, or Windows Server 22!! How does a company shut down half of their system to make important updates and upgrades? What if the update is coming from another company providing the Services? While this is normal behavior for companies, a cyber-attack can accelerate things by forcing the need for fixes and patches. For mobile users, forcing an update is not optional, but features can be unavailable until that is done. For Desktop end users, waiting until Friday is not optional when Eternal Blue has been reported and has been shown to cause devastation to companies and their systems. Companies manage these situations differently, but those scenarios provide you with a small view of what CEO’s face when hacks happen.
Short List of recent Zero Days in 2022
- CVE-2022-1364 – Chromium
- CVE-2022-30190 – Follina ( Windows)
- CVE-2022-32894 – Apple
- CVE-2022-32893 – Apple (RCE)
Quick References:
- Vulnerabilities – any flaw in system design that allows for unintended behaviors and consequences
- Eternal Blue – An exploit released by a group of hackers, the NSA is the author of Eternal Blue
- Stuxnet – A worm from the 2000s that targeted SCADA systems