Ask Leo! #654 – What’s a “Zero-Day” Attack?

Privacy Advocates

In response to Supercookies and Evercookies: Resistance is Futile, I received the following comment, privately:

What privacy watchdog groups? Who determines what privacy is? Law enforcement?-Is it the S.S.? (or K.G.B., etc.) Who's going to make legislation? What is a 'blatant violation'? We must be very, nay, extremely careful in determining who makes/carries out the rules.

Good points.

While this is a topic that varies dramatically, depending on where you live, in the United States, at least, I support the Electronic Frontier Foundation for exactly this purpose. They're perhaps the largest watchdog organization when it comes to online issues, most especially concerning privacy. Fight for the Future is another. And of course there's the American Civil Liberties Union (ACLU), though they're busy with many issues of late that more than transcend technology.

Ultimately it's your government that sets the rules, and its up to the various entities to then follow those rules. Organizations like the EFF and others attempt to hold all the players accountable.

I encourage you to, in turn, support those organizations that align with your concerns and values.

What's a "Zero-Day" Attack?

(skip)

Can you tell me more about zero-day drive-by attacks? I experienced one on my fully updated and patched Windows computer (automatic Windows Update ON) which has the latest anti-malware tools. I saw the hacked behavior and immediately turned off my computer. Scanning both before and after this attack showed no prior or present malware infection. Is this the best response for such attacks as it appears to have successfully prevented malware infection by this drive-by attack that I experienced?

The very nature of "zero day" exploits is that your virus scanner would show that you were clean both before and after being infected.

It's not until your anti-virus software provider updates their virus databases and you take that update that your scanner knows what to look for.

Yes, that means you may still be infected.

Let's go through the timeline that got you here.

Vulnerabilities exist

There are security vulnerabilities in Windows (and all operating systems) that have not yet been discovered.

If no one knows about them, then it's not an immediate threat — hackers can't exploit things they don't know about.

Not infrequently, a "good guy" will discover a vulnerability, but keep it a secret so malware authors don't find out about it and start to exploit it. Instead, the "good guy" contacts Microsoft and tells them about the issue, so a fix can be made available before the vulnerability becomes general knowledge.

Quite often, as a not-so-subtle form of encouragement to fix the problem, the reporter will indicate that he or she will make the details public within a certain amount of time. For example, Microsoft might be given 90 days to release a fix for the vulnerability.

That's if one of the good guys finds it first.

If a malware author discovers the problem and releases malware that exploits it, then systems can become infected before anti-virus software providers can update their databases and release the update to their users.

If malware exploiting a specific vulnerability is discovered "in the wild" before a fix for that vulnerability is available, then Microsoft has zero days to fix the problem. Hence, it's called a "zero day" exploit, vulnerability, or attack.

The zero-day timeline

Let's look at the timeline a little more closely.

Zero-Day Timeline

Vulnerability Introduced: 99 times out of 100, this is a simple programming error or oversight that could quite literally have happened years ago. The problem could have existed the entire time, but again, if no one knows about it, there's no one to exploit it, so it remains benign.

Vulnerability Discovered by Hackers: once discovered, the race is on. Hackers try to keep the nature of the issue to themselves for as long as possible, so as to delay any fix.

This begins what I'm calling the Window of Complete Vulnerability: there's a bug, there is malware that exploits it, anti-malware software does not yet detect it, and there is no fix for it. There's little you can do.

Malware Exploiting Vulnerability Discovered: at some point, the existence of the problem becomes public knowledge, usually by finding and reverse engineering malware that exploits it.

Anti-malware Detection Updated: as new malware is discovered, anti-malware tool vendors add information to detect it to their databases. This is why it's so critical you keep your anti-malware databases as up to date as possible. Without the latest updates, your scanners will not know how to detect the latest threats.

This begins what I call the period of Partial Vulnerability. Some of the malware making use of the exploit can now be detected and blocked by anti-malware tools. This is only partial safety: the vulnerability still exists, and there is no fix for it. New malware will be written making use of the same vulnerability, attempting to stay one step ahead of the anti-malware vendors.

Vulnerability Fixed: at some point, Microsoft releases a patch that fixes the problem. Systems updated to include the fix are now safe. Malware that attempts to exploit the vulnerability on those systems will fail. This is why it's so important to make sure your operating system is updated regularly, in addition to keeping your anti-malware databases up to date.

Like I said, it's a race. In the best cases, Microsoft has some time to release a patch to prevent a vulnerability from being exploited.

Unfortunately, it's all too common that they have zero days to do so.

Zero-day response

If you find yourself in the situation described by our questioner, I have some suggestions:

  • Restore your computer to a backup image taken prior to the infection.
  • If you don't have a backup, try a system restore to a point prior to the infection. This isn't guaranteed, but depending on the specific malware involved, it might help.
  • Check with your anti-malware tool vendor immediately, or at least force an update of the database and perform a full anti-malware scan. Keep updating that database regularly — I recommend daily.
  • If you can figure out what it was that caused the infection … well, don't do that again.

It's all about the race between anti-malware tools, hackers, and software vendors.

Occasionally, it's we who lose.

Related Links & Comments: What's a "Zero-Day" Attack?
https://askleo.com/3195

My webcam:
Logitech HD Pro Webcam C920

I actually have two of these - the current C920 as well as the previous C910 model. They're perfect for both making videos (some of my "talking head" videos were made using this simple webcam), as well as video chat like Skype (when I feel like being seen, of course).

Full HD on any of my Macs or PCs. It even comes with a convenient flip-down lens cover to protect your privacy.

If you don't yet have a webcam, or are unhappy with the quality of the webcam built into your laptop, as I am, then the C920 is a very cost-effective cam to consider.

-Leo

"Hand Picked" Advertisement

Can Everything I Do Online Be Monitored at My Router?

A few days ago, around the dinner table my family was talking about how police can monitor everything you do on the web and can track you. Because he is registered as the owner of the router, my father says that he can view everything I do as it passes through the router. Is this true? And if so, how can I bypass this?

Yes, it's true.

But before you focus on that too much, there are two things to keep in mind:

First, it's not really easy for the average consumer.

Second, there are easier alternatives to monitoring your router.

Let me explain what I mean and what you can do to protect yourself… if, indeed, you can protect yourself at all.

Continue Reading: Can Everything I Do Online Be Monitored at My Router?
https://askleo.com/4984

How Do I Fix "Invalid System Disk" Error?

Hopefully I can get this across: when I turn on the laptop the first thing comes on the screen says ‘invalid system disk, replace the disk and press any key.' I don't have a boot disk so I hit enter, then I get ‘no bootable device, insert boot disk and press any key.' I am thinking I need a boot disk.

There are several possible scenarios going on here. The good news is, most of them are completely benign and relatively easy to fix.

The bad news is, the one that's not benign is pretty serious — as in, "I hope you have a backup" serious.

Continue Reading: How Do I Fix "Invalid System Disk" Error?
https://askleo.com/27889

The Ask Leo! Tip of the Day

A feature exclusively available to Ask Leo! Patrons Bronze level & above.

More Ask Leo!

Become a Patron
Books - Business - Glossary
Facebook - YouTube - More..

Off-Topic

Something random from my personal blog that I think many can relate to: Surprise! It Worked!

Leo's Other Projects....

HeroicStories Since 1999, HeroicStories brings diverse, international voices to the world ' reminding us that people are good, that individuals and individual action matter. Stories - new and old - are published twice a week.

Not All News Is Bad - Each day I look for one story in the current news of the day with a positive bent. Just one. And I share it.

leo.notenboom.org - My personal blog. Part writing exercise, part ranting platform, it's where I write about anything and everything and nothing at all.

Help Ask Leo! Just forward this message, in its entirety (but without your unsubscribe link below) to your friends. Or, just point them at https://newsletter.askleo.com for their own FREE subscription!

Newsletter contents Copyright © 2017,
Leo A. Notenboom & Puget Sound Software, LLC.
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC