Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What’s a “Zero-Day” Attack?

//
Can you tell me more about zero-day drive-by attacks? I experienced one on my fully updated and patched Windows computer (automatic Windows Update ON) which has the latest anti-malware tools. I saw the hacked behavior and immediately turned off my computer. Scanning both before and after this attack showed no prior or present malware infection. Is this the best response for such attacks as it appears to have successfully prevented malware infection by this drive-by attack that I experienced?

The very nature of “zero day” exploits is that your virus scanner would show that you were clean both before and after being infected.

It’s not until your anti-virus software provider updates their virus databases and you take that update that your scanner knows what to look for.

Yes, that means you may still be infected.

Let’s go through the timeline that got you here.

Become a Patron of Ask Leo! and go ad-free!

Vulnerabilities exist

There are security vulnerabilities in Windows (and all operating systems) that have not yet been discovered.

If no one knows about them, then it’s not an immediate threat — hackers can’t exploit things they don’t know about.

Not infrequently, a “good guy” will discover a vulnerability, but keep it a secret so malware authors don’t find out about it and start to exploit it. Instead, the “good guy” contacts Microsoft and tells them about the issue, so a fix can be made available before the vulnerability becomes general knowledge.

Quite often, as a not-so-subtle form of encouragement to fix the problem, the reporter will indicate that he or she will make the details public within a certain amount of time. For example, Microsoft might be given 90 days to release a fix for the vulnerability.

That’s if one of the good guys finds it first.

If a malware author discovers the problem and releases malware that exploits it, then systems can become infected before anti-virus software providers can update their databases and release the update to their users.

If malware exploiting a specific vulnerability is discovered “in the wild” before a fix for that vulnerability is available, then Microsoft has zero days to fix the problem. Hence, it’s called a “zero day” exploit, vulnerability, or attack.

The zero-day timeline

Let’s look at the timeline a little more closely.

Zero-Day Timeline

Vulnerability Introduced: 99 times out of 100, this is a simple programming error or oversight that could quite literally have happened years ago. The problem could have existed the entire time, but again, if no one knows about it, there’s no one to exploit it, so it remains benign.

Vulnerability Discovered by Hackers: once discovered, the race is on. Hackers try to keep the nature of the issue to themselves for as long as possible, so as to delay any fix.

This begins what I’m calling the Window of Complete Vulnerability: there’s a bug, there is malware that exploits it, anti-malware software does not yet detect it, and there is no fix for it. There’s little you can do.

Malware Exploiting Vulnerability Discovered: at some point, the existence of the problem becomes public knowledge, usually by finding and reverse engineering malware that exploits it.

Anti-malware Detection Updated: as new malware is discovered, anti-malware tool vendors add information to detect it to their databases. This is why it’s so critical you keep your anti-malware databases as up to date as possible. Without the latest updates, your scanners will not know how to detect the latest threats.

This begins what I call the period of Partial Vulnerability. Some of the malware making use of the exploit can now be detected and blocked by anti-malware tools. This is only partial safety: the vulnerability still exists, and there is no fix for it. New malware will be written making use of the same vulnerability, attempting to stay one step ahead of the anti-malware vendors.

Vulnerability Fixed: at some point, Microsoft releases a patch that fixes the problem. Systems updated to include the fix are now safe. Malware that attempts to exploit the vulnerability on those systems will fail. This is why it’s so important to make sure your operating system is updated regularly, in addition to keeping your anti-malware databases up to date.

Like I said, it’s a race. In the best cases, Microsoft has some time to release a patch to prevent a vulnerability from being exploited.

Unfortunately, it’s all too common that they have zero days to do so.

Zero-day response

If you find yourself in the situation described by our questioner, I have some suggestions:

  • Restore your computer to a backup image taken prior to the infection.
  • If you don’t have a backup, try a system restore to a point prior to the infection. This isn’t guaranteed, but depending on the specific malware involved, it might help.
  • Check with your anti-malware tool vendor immediately, or at least force an update of the database and perform a full anti-malware scan. Keep updating that database regularly — I recommend daily.
  • If you can figure out what it was that caused the infection … well, don’t do that again.
  • Take system updates regularly in the hopes that the vulnerability will be resolved quickly.

It’s all about the race between anti-malware tools, hackers, and software vendors.

Occasionally, it’s we who lose.

Podcast audio

Play

Footnotes & references

1: Naturally, there are other things you can do to stay safe, just not related to this specific vulnerability or any malware that exploits it. Those things include the standard recommendations of not opening attachments from untrusted sources, being behind a firewall, not visiting untrustworthy web sites, and so on.

6 comments on “What’s a “Zero-Day” Attack?”

  1. The Drive-by Attack, probably a Zero-Day one (as my computer was fully updated and patched) that I experienced, attempted a download of malware which I successfully aborted before its completion by switching my computer off manually. In such a case would there be a possiblity of malware infection?

  2. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    It seems unlikely that you’d be infected, but there’s really no way to know
    *for certain* that you’re not. Did you turn it off in time? How would you know?

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFHL8YOCMEe9B/8oqERAtI6AJ9+bx1aqZ+9ndWyBC2S/2CjLMOlhwCeJv/K
    U9wiJESKNrv8cq3WGDtzEXQ=
    =2Req
    —–END PGP SIGNATURE—–

  3. several of us in the household and friends that come over have Yahoo email accounts, we’ll use the email and then it’ll start to ask if we want to “link” our accounts. NO NO NO we do not, is there some way to stop this?

  4. Leo didn’t address one part of the question, the “drive-by attack” part. Like for the word virus, drive-by attack may mean different things for different people. I define “drive-by” as malware that does not require any abnormal or confirmation action by the user in order to infect the computer. Like for zero-days, true drive-by attacks are relatively rare but get much higher attention because of their potential virulence. The Wanna Cry worm was a example of drive-by attack, the user literally only had to have their computer on a LAN to be infected. (Conversely, Wanna Cry was *not* a zero-day virus, the exploited Windows vulnerability had been both known and patched.)

    As noted, there is very little an end user can do in the face of a zero-day drive-by attack other than the standard advice: keep your operating system *and* applications updated. It’s not just Windows that can get infected, it’s Adobe Reader and Flash, it’s Java and MS Office, and it’s your third-party browser and unsecured Wifi connection. And certainly don’t make it even easier by opening unknown attachments or files, clicking on links to unknown web pages, or believing everything you read on the Internet.

  5. Very good article, and I’ll add another category of good guys, who can also occasionally wreak havoc : intelligence agencies. As we have seen recently, they hoard vulnerabilities in order to attack bad guys (which is, I hasten to add, a good thing) ; however, in so doing they run the risk of being hacked themselves, and the vulnerabilities being used by bad guys against good guys — us. Which is what happened in the last few weeks.

    • If the “good guys” are hoarding the vulnerabilities they discover, they can probably defend themselves against those exploits. The bad thing is that they don’t want those patched on our machines.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.