What Is a Zero-Day Flaw and How It Can Put Your Passwords at Risk
Perhaps philosophy doesn't come to mind when you think about cybersecurity. However, today we are going to talk about zero day vulnerability, and this concept requires a little bit of mental gymnastics. It is actually easy when we have one certain infection that might affect vulnerable systems; however, zero day vulnerability is more like a time frame that can be used by a malevolent third party to exploit a target system. In order to mitigate this vulnerability, joint efforts from the software vendor and users are necessary. To find out more about this concept, and how zero day vulnerability can expose passwords, continue reading this blog entry.
The Concept of Zero Day Vulnerability
When you hear this phrase, you probably imagine some sort of software glitch that allows cyber criminals to hack into a system. You are actually right, but there are some aspects to this concept that we would like to explain.
Zero day vulnerability does not point out a particular program or a particular system. It is used to describe a hypothetical vulnerability that the software vendor does not know about. If a vendor isn't aware of certain vulnerability, the hackers have more chances to exploit it. The vulnerability is mitigated only when the vendor releases an update that contains a patch, which fixes the vulnerability. The amount of days that it requires for the vendor to release a patch can be used instead of “zero” in the name.
For example, if it takes 20 days for a patch to be developed and released since the discovery of the vulnerability, the specific vulnerability can be called a 20-day vulnerability. However, even if the fix has been developed, there is still a big chance that the vulnerability can be exploited because not every single user might apply the fix immediately.
Examples of Zero Day Vulnerability
To give you a better picture of how the zero day vulnerability concepts can be applied in practice, let's take a look at the most recent software issues that made the headlines in 2019. For example, in the beginning of February, Adobe released a micropatch that was used to resolve a zero day vulnerability for Adobe Reader. Unlike most of the exploits that make use of a certain software vulnerability, the attackers who used this vulnerability exploited weaknesses found in a content embedding feature for PDF files. As a result, this zero day vulnerability exposed passwords because it allowed the criminals to steal hashed password values by “phoning home.”
The micropatch that Adobe released didn't exactly fix the vulnerability immediately. It notified users by showing a security warning whenever users used Adobe Reader in a way that could be exploited by cyber criminals. The official security updates were released later according to the official Adobe's patch schedule.
Another example of a big reputable company fixing zero day vulnerabilities includes Apple fixing several security issues related to iOS and macOS Mojave in the beginning of February. Apple fixed four vulnerabilities that could have been exploited. Perhaps the biggest vulnerability known to the general public was the FaceTime bug that allowed anyone to use the app to eavesdrop on user's conversations. The point with such vulnerabilities is that the vendor does not know about them beforehand, and Apple was certainly not aware of the vulnerabilities it had to fix. When such issues are discovered accidentally by consumers or third-party researchers, that is a classic example of a zero day vulnerability.
If we were to look back for more examples, we can also mention an old critical flaw in macOS that could reveal passwords in PlainText. This zero day vulnerability was discovered and later fixed back in 2017. This vulnerability had allowed random applications to export passwords in plaintext. The point is that, technically, Apple does not permit unsigned applications. So it would be really hard for a rogue program to be installed on macOS if the program hasn't been approved by Apple. Yet, computer security experts suggested that even signed applications could have taken use of that vulnerability. Therefore, the bottom line is that no one is ever safe, and we always have to take all the security measures available to protect our systems from harm.
How to protect your system from zero day vulnerability
As mentioned, it might be hard to do anything about this issue unless the software vendor is aware that the vulnerability exists. Also, there is this timeframe between the release of the patch and its implementation that can be used for malicious exploitation, too. Therefore, to minimize the potential of a malicious exploitation, users have to apply software updates immediately.
We do realize that some users may want to turn off the automatic update function on their devices, but that is not something we would recommend. If you allow your software to download scheduled updates, you will definitely minimize the potential of a malicious exploitation.
Also, you might make it harder for cyber criminals to steal your passwords by keeping them in an encrypted vault. You can do that by employing a password manager to keep all of your passwords under one lock. You would then need only one master password that you have to remember (you cannot store it anywhere on your system, or at least it is not recommended) to access all of your other passwords. Either way, there are various ways to improve your system's security to minimize the potential harm you might face because of zero day vulnerabilities.
Aside from that, you will do yourself a favor by establishing safe online habits. You will always see security experts say that one needs to invest in a reliable antispyware tool, but that tool may not mean or do much unless you actually employ safe web browsing habits. A security program cannot protect you from a stray click or a malicious download that you might initiate accidentally. Hence, it is important to use updated and reliable software alright, but it is also immensely important how you interact with online content.