2 Network security threats
2.3 Zero-day vulnerability, zero-day attacks

There are a few common, but slightly different definitions of zero-day vulnerabilities. Some definitions refers this term as software flaws that leave users exposed to cyber attacks before a patch or workaround is available or made public, while others define them as a security vulnerability on the same day that the vulnerability becomes publicly known (zero-day). In the first definition, a zero-day vulnerability can be unknown to anyone but a cyber attacker (or a supplier who sells zero-day discoveries on the black market); some authors refer to the attacks to these vulnerabilities as 'less than zero-day'. In other cases, the software vendor knows about the vulnerability but has not yet issued a fix.

These attacks are rarely discovered; in fact, it often takes not just days, but months, and sometimes years before a developer learns of the vulnerability that led to an attack.

In either case, the result is the same: users are wide-open to attack. As L. Bilge and T. Dumitras state in [5] “While the vulnerability remains unknown, the software affected cannot be patched, and anti-virus products cannot detect the attack through signature-based scanning“. Software vulnerabilities may be discovered by crackers, by security companies or researchers, by the software vendors themselves, or by users. If discovered by crackers, an exploit will be kept secret for as long as possible and will circulate only through the ranks of crackers/hackers, until software or security companies become aware of it or of the attacks targeting it.

image
Fig. 2.2 – Vulnerability period of a zero-day attack

Zero-day exploits have enabled some of the most destructive and high-profile attacks in recent years. For instance, operation Aurora (2009) exploited an Internet Explorer vulnerability with more than 20 targets including Morgan Stanley, Google, Yahoo, Dow Chemical, Adobe Systems, Juniper Networks and even a software for security company like Symantec.

Probably, the most famous zero day attacks was Stuxnet (2010). In fact, Stuxnet worm used four separate zero-day exploits to damage industrial controllers and disrupt Iran’s Natanz uranium enrichment facility. Stuxnet was designed to manipulate industrial programmable logic controllers (PLCs) made by the German firm Siemens that control and monitor the speed of the centrifuges. The remote attackers could not reach directly these devices because the computers were not connected to the Internet. So the attackers designed their attack to spread via infected USB flash drives, and they first infect computers belonging to five outside companies that are believed to be connected in some way to the nuclear program. The use of four zero-day vulnerabilities is extraordinary and is unique to this threat. Moreover, Stuxnet also uses a variety of other vulnerabilities which shows the extraordinary sophistication, thought, and planning that went into making this attack.