The worst attacks are the ones you don’t know about. In this video, you’ll learn about zero-day attacks and some real-world zero-day vulnerabilities.
<< Previous Video: Denial of Service Next: Man-in-the-Middle >>
There are operating systems and applications that you are using right now that contain vulnerabilities. The problem is that we don’t know what those vulnerabilities are yet. We’re expecting that a researcher or perhaps an attacker will be able to identify those vulnerabilities, at which point we will be aware of what that vulnerability happens to be.
The good guys and the bad guys are working very hard to find these vulnerabilities. The good guys obviously want to patch the system before the bad guys know the vulnerability exists. And the bad guys would love to take advantage of that vulnerability before a patch is created.
The bad guys are going to use these vulnerabilities for personal gain. They will either themselves use these vulnerabilities to gain access to a system. Or they will sell these vulnerabilities to the highest bidder.
A zero-day vulnerability is one that has suddenly been identified. But up to this point, no one knew that this vulnerability existed. And there is usually a delay between the point that a vulnerability is found and a vulnerability is patched. The zero-day vulnerability means that it’s very possible that your systems could be susceptible to this vulnerability. And you would have had no idea that the vulnerability was there.
You can find a maintain list of the vulnerabilities that we know about at the Common Vulnerabilities and Exposures database, or the CVE list. And this can be found at cve.mitre.org.
An example of a zero-day vulnerability would be one that we found in March of 2017. The CVE is CVE-2017-0199. This is a vulnerability associated with Microsoft Office and also with the application WordPad on Windows systems.
This is a remote code execution vulnerability that integrates with the Windows API. You would simply open a Microsoft Office file or a WordPad file, and that was enough for that vulnerability to take effect. Although this particular vulnerability was announced and patched in March of 2017, Sophos had documented these attacks occurring in the wild since November of 2016. And obviously, the vulnerability existed in these applications well before that date.
Another example of a zero-day vulnerability was announced in May of 2019. This is CVE-2019-0863. And it’s a vulnerability associated with the Windows Error Reporting Service. That’s the service that pops up whenever there’s an error that asks if you’d like to send information to Microsoft. This allowed an elevation of privilege, which means that the process of the Windows Error Reporting Service interacting with files allowed a standard user to suddenly have administrative rights and permissions.
This vulnerability was announced in May of 2019. But it’s a vulnerability that exists within Windows 10, Windows 8.1, Windows 7, and even some versions of Windows Server. Windows 7 has been out almost 10 years at this point, which means from the date the Windows 7 was introduced, this vulnerability was hidden inside of the operating system. And now recently, this vulnerability has been found being used in the wild.
Windows 7 has been out since July of 2009, which means this particular vulnerability has been around for at least 10 years. But only recently we happened to see someone taking advantage of this vulnerability in the wild. And because no one knew about this vulnerability prior to this point, this was a zero-day attack.