#Why Are There So Many Zero-Day Security Holes?

Cybercriminals use zero-day vulnerabilities to break into computers and networks. Zero-day exploits seem to be on the rise, but is that really the case? And can you defend yourself? We look at the details.

Zero-Day Vulnerabilities

A zero-day vulnerability is a bug in a piece of software. Of course, all complicated software has bugs, so why should a zero-day be given a special name? A zero-day bug is one that has been discovered by cybercriminals but the authors and users of the software don’t yet know about it. And, crucially, a zero-day is a bug that gives rise to an exploitable vulnerability.

These factors combine to make a zero-day a dangerous weapon in the hands of cybercriminals. They know about a vulnerability that no one else knows about. This means they can exploit that vulnerability unchallenged, compromising any computers that run that software. And because no one else knows about the zero-day, there will be no fixes or patches for the vulnerable software.

So, for the short period between the first exploits taking place—and being detected—and the software publishers responding with fixes, the cybercriminals can exploit that vulnerability unchecked. Something overt like a ransomware attack is unmissable, but if the compromise is one of covert surveillance it might be a very long time before the zero-day is discovered. The infamous SolarWinds attack is a prime example.

RELATED: SolarWinds Hack: What Happened and How To Protect Yourself

Zero-Days Have Found Their Moment

Zero-days aren’t new. But what is particularly alarming is the significant increase in the number of zero-days being discovered. More than double have been found in 2021 than in 2020. The final numbers are still being collated for 2021—we’ve still got a few months to go, after all—-but indications are that around 60 to 70 zero-day vulnerabilities will have been detected by the year-end.

Zero-days have a value to the cybercriminals as a means of unauthorized entry to computers and networks. They can monetize them by executing ransomware attacks and extorting money from the victims.

But zero-days themselves have a value. They are saleable commodities and can be worth huge sums of money to those who discover them. The black market value of the right kind of zero-day exploit can easily reach many hundreds of thousands of dollars, and some examples have exceeded $1 million. Zero-day brokers will buy and sell zero-day exploits.

Zero-day vulnerabilities are very difficult to discover. At one time they were only found and used by well resourced and highly-skilled teams of hackers, such as state-sponsored advanced persistent threat (APT) groups. The creation of many of the zero-days weaponized in the past has been attributed to APTs in Russia and China.

Of course, with enough knowledge and dedication, any sufficiently accomplished hacker or programmer can find zero-days. White hat hackers are among the good buys who try to find them before the cybercriminals. They deliver their findings to the relevant software house, who will work with the security researcher who found the issue to close it off.

New security patches are created, tested, and made available. They’re rolled out as security updates. The zero-day is only announced once all the remediation is in place. By the time it becomes public, the fix is already out in the wild. The zero-day has been nullified.

Zero days are sometimes used in products. The NSO Group’s controversial spy-ware product Pegasus is used by governments to fight terrorism and maintain national security. It can install itself on mobile devices with little or no interaction from the user. A scandal broke in 2018 when Pegasus was reportedly used by several authoritative states to conduct surveillance against its own citizens. Dissidents, activists, and journalists were being targeted.

As recently as September 2021, a zero-day affecting Apple iOS, macOS, and watchOS—that was being exploited by Pegasus—was detected and analyzed by The University of Toronto’s Citizen Lab. Apple released a series of patches on Sept. 13, 2021.

Why The Sudden Surge in Zero-Days?

An emergency patch is usually the first indication a user receives that a zero-day vulnerability has been discovered. Software providers have schedules for when security patches, bug fixes, and upgrades will be released. But because zero-day vulnerabilities must be patched as soon as possible, waiting for the next scheduled patch release isn’t an option. It’s the out-of-cycle emergency patches that deal with zero-day vulnerabilities.

If you feel like you’ve been seeing more of those recently, it’s because you have. All mainstream operating systems, many applications such as browsers, smartphone apps, and smartphone operating systems have all received emergency patches in 2021.

There are several reasons for the increase. On the positive side, prominent software providers have implemented better policies and procedures for working with security researchers who approach them with evidence of a zero-day vulnerability. It’s easier for the security researcher to report these defects, and the vulnerabilities are taken seriously. Importantly, the person reporting the issue is treated professionally.

There’s more transparency too. Both Apple and Android now add more detail to security bulletins, including whether an issue was a zero-day and if there is a likelihood that the vulnerability was exploited.

Perhaps because security is being recognized as a business-critical function—and is being treated as such with budget and resources—attacks have to be smarter to get into protected networks. We do know that not all zero-day vulnerabilities are exploited. Counting all of the zero-day security holes isn’t the same as counting the zero-day vulnerabilities that were discovered and patched before cybercriminals found out about them.

But still, powerful, organized, and well-financed hacking groups—many of them APTs—are working full-tilt to try to uncover zero-day vulnerabilities. They either sell them, or they exploit them themselves. Often, a group will sell a zero-day after they’ve milked it themselves, as it is approaching the end of its useful life.

Because some companies don’t apply security patches and updates in a timely fashion, the zero-day can enjoy an extended life even though the patches that counteract it have are available.

Estimates suggest that a third of all zero-day exploits are used for ransomware. Big ransoms can easily pay for new zero-days for the cybercriminals to use in their next round of attacks. The ransomware gangs make money, the zero-day creators make money, and round and round it goes.

Another school of thought says that cybercriminal groups have always been flat-out trying to uncover zero-days, we’re just seeing higher figures because there are better detection systems at work. Microsoft’s Threat Intelligence Center and Google’s Threat Analysis Group along with others have skills and resources that rival intelligence agencies’ capabilities at detecting threats in the field.

With the migration from on-premise to cloud, it’s easier for these types of monitoring groups to identify potentially malicious behaviors across many customers at once. That’s encouraging. We might be getting better at finding them, and that’s why we’re seeing more zero-days and early in their life-cycle.

Are software authors getting sloppier? Is code quality dropping? If anything it should be rising with the adoption of CI/CD pipelines, automated unit testing, and a greater awareness that security must be planned in from the outset and not bolted on as an afterthought.

Open-source libraries and toolkits are used in almost all non-trivial development projects. This can lead to vulnerabilities being introduced to the project. There are several initiatives underway to try to address the issue of security holes in open-source software and to verify the integrity of downloaded software assets.

How To Defend Yourself

Endpoint protection software can help with zero-day attacks. Even before the zero-day attack has been characterized and the antivirus and anti-malware signatures updated and sent out, anomalous or worrying behavior by the attack software can trigger the heuristic detection routines in market-leading endpoint protection software, trapping and quarantining the attack software.

Keep all software and operating systems up to date, and patched. Remember to patch network devices too, including routers and switches.

Reduce your attack surface. Only install required software packages, and audit the amount of open-source software you use. Consider favoring open-source applications that have signed up to artifact signing and verification programs, such as the Secure Open Source initiative.

Needless to say, use a firewall and use its gateway security suite if it has one.

If you’re a network administrator, limit what software users can install on their corporate machines. Educate your staff members. Many zero-day attacks exploit a moment of human inattention. provide cybersecurity awareness training sessions, and update and repeat them frequently.

RELATED: Windows Firewall: Your System’s Best Defense