Zero-day Attacks – CompTIA Network+ N10-006 – 3.2


The applications that we use across our networks can hide vulnerabilities that haven’t yet been discovered by the general public. In this video, you’ll learn about zero-day attacks that take advantage of these vulnerabilities.
<< Previous: Insider ThreatsNext: Operating System Vulnerabilities >>


Here’s something to consider. The applications you’re using on your computer right now have security vulnerabilities. We just don’t know what they are yet. We know that they’re somewhere in the code, and eventually someone will identify these security vulnerabilities. But for the mean time, they are vulnerabilities that nobody knows about.

But the bad guys are working very hard to find these security vulnerabilities. There’s some good guys working very hard to find these security vulnerabilities as well. The good guys find the vulnerability, and they share their findings with the developer of the software, who then repairs and fixes the issue, releases a patch, and at that point the good guy talks about how they originally found the problem and how now it has been resolved by the developer.

The bad guys, though, tell nobody. They don’t want anybody to know that they found a way into your system that nobody knows about. The operating system manufacture doesn’t know about it. The application developers don’t know about it. Nobody knows about it. And they’re going to use that vulnerability for some type of personal gain. They want to gain access to your computer so that they can then use it on a botnet. They could then have it send email or perform whatever function they’d like.

A Zero-day vulnerability is one that has not been published. Nobody’s heard about this vulnerability before. There’s no patches for this vulnerability. We’ve all suddenly had a realization that this vulnerability exists. And that’s why you usually see the security groups scrambling around trying to find ways to mitigate this issue until a patch is available to resolve this particular vulnerability. The bad guys usually jump on this pretty quickly. They want to take advantage of the fact that you don’t have a patch. And they will create and exploit to the vulnerability and try to gain access to as many systems as they can.

That’s why we find that a number of Zero-day exploits are becoming increasingly common as they quickly try to find a way to get into your systems before you have a chance to close the door. Mitre keeps a list of all of these known vulnerabilities in the Common Vulnerabilities and Exposures Database at cve.mitre.org.

We often will reference a patch or an update to an operating system with not just the manufacturer’s name for that particular patch, but it almost always has a CVE number associated with it well. And that’s coming directly from Mitre’s CVE database. I wanted to give you an example of a Zero-day vulnerability notification. This one goes back a number of years. There’s some interesting things about this particular vulnerability.

This was one that was announced on November the 3rd of 2010. And it affected Internet Explorer 6, 7, and 8. It was effectively a brand new vulnerability and no patch was available. There’s the URL for the advisory from Microsoft. It took until December the 14th of 2010 to get a patch. The patch number was the Microsoft 10-090. So we had a gap there between November the third and December the 14th where we effectively had a Zero-day vulnerability that was identified.

And of course on December 14th, there was really no longer a Zero-day vulnerability because we had a patch available that we could then apply to all of these different Internet Explorer versions. Here’s the information about what this patch was really resolving. What was happening is that a bad guy could get you to visit a web page. That web page would download and install malware without any user interaction at all. That’s a pretty significant vulnerability.

What’s interesting about this is that it affected so many different versions of Internet Explorer, Internet Explorer 8, Internet Explorer 7, and Internet Explorer 6. If we look back Internet Explorer 6 was released on August the 27th of 2001. That means that this vulnerability was actually inside of Internet Explorer for nine years, but nobody knew that it was there. This is the big challenge that security people have is we have to stay one step ahead of the bad guys, and in some cases we have to be prepared even when we don’t know that a particular vulnerability exists.