See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/359969973

THE ZERO-DAY VULNERABILITY

Conference Paper · April 2022

DOI: 10.24924/ijise/2021.04/v9.iss2/65.76

CITATION READS

1 1,529

2 authors:

Onyechere Ugochukwu Franklin Mohamed Ismail

FTMS College Kolej UNIKOP
4 PUBLICATIONS 15 CITATIONS 13 PUBLICATIONS 59 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Mohamed Ismail on 15 April 2022.

The user has requested enhancement of the downloaded file.

International Journal of Information System and Engineering
Vol. 9 (No 1.), April, 2021
ISSN: 2289-7615
DOI: 10.24924/ijise/2021.04/v9.iss2/65.76 www.ftms.edu.my/journals/index.php/journals/ijise
This work is licensed under a
Creative Commons Attribution 4.0 International License.

Research paper

THE ZERO-DAY VULNERABILITY

Onyechere Ugochukwu Franklin

Center for Cyber Security and Games
Canberra Institute of Technology (CIT), Australia
activate4u@yahoo.com

Mohamed Ismail Z
School of Engineering & Computing Sciences (SOECS)
FTMS College, Cyberjaya, Malaysia
ismail@ftms.edu.my

ABSTRACT

The Zero-day vulnerability threat attack is becoming increasingly every day as this
security threat has been considered as something unmeasurable due to software flaws are
less predictable than hardware faults and the process of identifying such flaws and
developing solutions seem to be unpredictable and difficult to be eradicated. The Zero-day
attack can only be identified early and avoided. In this paper, we will be discussing on the
zero-day exploits, some other additional threat used to compromise some enterprise
endpoints and some of the security measures which can be used to control the Zero-day
security threat attach.

Keyword: Vulnerability, Exploit, Zero-Day

1.0 Introduction

The zero-day vulnerability is said to be a hole in software which is unknown to the vendor and
exploited by hackers before the vendor becomes aware and seek for the solution of fixing the
software hole. The zero-day attacks are usually activated by unknown vulnerabilities. The
information imbalance between what the attacker knows and what the defender knows makes
zero-day exploits very difficult to detect. information-stealing malware utilizes ever-advancing
techniques for exploiting application vulnerabilities, infecting targeted endpoints and stealing
information.

Billions of organizations and trillions of people are connected to the internet in order to seek
information, conduct business, communicate, buy goods and services of every kind and the
criminal elements are also taking parts in the global internet, skimming away profits and
thereby leaving victims of the organizations in its wake. Protecting against the zero-day attacks
are known to be one of the fundamentally challenge security problems yet to be solved.

Vulnerabilities are unintended flaws found in software programs. Vulnerabilities could be the
result of improper computer security configurations and programming errors when it is left
unaddressed. This also creates security holes which will eventually give cybercriminals an
opportunity to exploit.

Page 65
In order for the vendor to rectify the vulnerability, the software company will have to release a
patch and sometimes patches are a release on daily bases. Microsoft parch is one of the
examples. On the second Tuesday of every month, Microsoft release security fixes which will
help resolve identified holes on the software.

According to John Wiley and Sons (2014), Cybercriminal organizations developed zero-day
exploits malicious pieces of software that take advantage of the unknown, zero-day
vulnerabilities for which patches don't exist. The organizations are concerned about the zero-
day vulnerabilities as they favourite target for attackers as many machines are affected and no
protection is available. The zero-day exploits are quite harmful and often utilized for infecting
user machines or user account with advanced, remotely controlled malware and information
stealing.

Cybercriminal organizations seem to be more motivated and more skilled every day as they
continue to grow.

2.0 Literature Review

The zero-day vulnerability refers to the number of days a software vendor has known about the
vulnerability (Libicki, Ablon, and Webb, 2015). The zero-day is said to take advantage of
malware before a patch is being created. The name "zero-day" denotes that it occurs before the
vulnerability is known and developers have had zero days to fix the vulnerability.

According to Microsoft (March 2020), users of zero-day attacks will exploit two separate
vulnerabilities and these vulnerabilities will affect all supported Windows versions and there
was no patch expected until some weeks later. The attacks targeted remote code execution
(RCE) vulnerabilities in the Adobe Type Manager (ATM) library. It was believed that the flaws in
ATM will enable the attackers to use malicious documents to remotely run scripts and the
documents will either downloaded or arrive through spam by unsuspecting users. When this file
is open or previewed with Windows File Explorer, the scripts would run and thereby infecting
user devices.

The attackers always use the zero-day vulnerability to go after organizations and targets that
diligently stay current on the patches and those that are not diligent can be attacked through
vulnerabilities for which patches are existing but have not been implemented. The zero-day
vulnerabilities and their exploits are really a useful tool in cyber operations, be it in militaries or
criminals or governments as well in defensive like penetration testing and also in academic
settings.

According to MalwarebytesLabs publication (April 2020), the zero-day attacks were reported to
be against the Sophos XG firewall which attacks attempted to exploit an SQL injection
vulnerability which targeted the firewall's built-in PostgreSQL database server.

According to Kaur & Singh (2014), the most dangerous attacks which appeared to be the
hardest to detect are the polymorphic worms which show distinct behaviours and worms which
posed a serious threat to internet security. These computer worms rapidly spread and
progressively threaten the internet hosts and services by exploiting unknown vulnerabilities.
They can change their own depictions on each new infection and some have many signatures
and hence their fingerprinting generation is very difficult.

The attackers will leverage this vulnerability by tricking users into visiting a website which is
crafted to exploit the flaw and it can also be accomplished through email phishing or redirection
of links and the server requests.

It is obvious that zero-day vulnerability, no patch is readily available and the vendors may or
may not be aware of it. The zero-day attack exploits a vulnerability which has not been

Page 66
disclosed to the public which includes the software vendors as there is no defence mechanism
available to act against zero-day attack.

The anti-virus and firewall products cannot detect the attack via signature-based scanning and
this is because vulnerability is unknown.

2.1 Traditional Defences against Zero-day attacks

It is true that any organization connected to the internet has one common
security threat of zero-day vulnerability attacks. The main purpose of these
attacks is the monitoring target's operation. sensing confidential information,
system disruption and theft poof commercial information.

2.2. Impact of Zero-Day Vulnerabilities

Zero-day can inflict a serious impact as it often goes unnoticed by the software vendor. The time
it takes for the vendor to become aware of it and to develop a patch to prevent further
exploitation is the time where hackers continue exploiting the data, nodes and systems within
the network. Hackers will take advantage of this flaw and steal valuable information leading to
major downfall to a company. The day when the vulnerability is identified is known as "Day
Zero" and it is usually the day where the vendor kick starts efforts to find patches. Yet, even
with the release of the workarounds and fixes, the end user's system will still be vulnerable
until the fix is applied and this is a convincing reason for keeping all the applications on digital
systems updated.

2.3 Impacts on Business

The zero-day vulnerability can give hackers full access to the organization system
files to steal them and only to be sold on the black market for an exchange of
money. It will also expose all the organization data and finances to the hacker
leading to the possibility of threats from multiple hackers. The system
administrators are left with a small-time window to fix the anomaly and thwart
major data loss as the system vulnerabilities due to zero-day often go unnoticed.
2.4 How to detect Zero-Day Vulnerabilities

There are many ways to identify zero-day vulnerabilities and they include:

· Statistics based detection: This strategy defines the safe system behaviour because
any deviance from the defined standard will trigger a warning. Machine learning is used
to extract and continuously review the previous exploit data to come up with a baseline
of the vulnerability system.

· Behaviour-based detection: The strategy where the communication of the inbound

files with the targeted system is incessantly monitored to identify and even anticipate
the possibility of malicious attacks

· Signature-based detection: The machine learning is adopted to analyse and assign

signatures to bogus scripts or malware and the resultant malware database is used to
identify new vulnerability threat or unknown vulnerabilities.

Page 67
2.5 Protective Measures/protect yourself

It is your responsibility to protect yourself by:

 Securing the gateways of email, servers and networks: The zero-day attacks can
target the different parts of a company online infrastructure. Overlooking the
minutest factor such as not vetting the emails from shady addresses can give
ways for malware or cyber-attacks.
 Update software packages to prevent cyber-attacks: Implementing the idea of
updating software regularly will lower the number of flaws like identifying,
applying and updating patches to the systems, networks and servers as soon as
the software updates are available. Individuals should adopt the idea of patch
management policies which will be activated as a part of incident response and
remediation strategies.
 Enforce the principle of least privilege: The restriction of open-source
penetration testing and the system administration tools should be equally
enforced at the time of vulnerability because the software threats are usually
channelled through this system.
 Execution and planning of multi-layer security defences: The additional layers of
security such as firing up of firewalls and intrusion detection systems to filter
and prevent hostile traffic to the servers and minimise the risk of cyber-attacks.
When strategies are combined with every other awareness steps (e.g., behaviour
monitoring) can even prevent dubious malware-infected programs from
deployment and execution.
 Implementing cybersecurity hygiene: Encouraging a culture of cybersecurity
awareness on the practices such as phishing attacks could be an ideal strategy
which could foresee and thwart cyber-attack concerns. It also involves the
deployment of high-end security risk mitigation systems that are monitored
24/7 for data security.

2.6 Responsibilities of a software vendor against Zero-day Vulnerabilities

 The software vendor should provide a back door for recovery of data. This
requires the backing up of critical systems and a contingency plan should also be on the
ground in case of attack.
 The software vendor should closely monitor core data, and which include a
thorough investigation of Active Directory, VPN, DNS, emails.
 Enforcing strict and updated software along with preparing the users to identify
a warm on an attack.

3.0 Research Design and Methodology

Zero-day vulnerabilities are the subset of the total number of vulnerabilities documented over
the reporting period of time.

The zero-day vulnerability is one that appears to have been exploited based on the ones publicly
reported. This may not have been known to the affected vendor prior to exploitation and
properly the vendor has not released the patch from the time of exploitation activities.

The data collection for this research work consists of the vulnerabilities that Malwarebytes labs
and Symantec has identified that meet the above criteria. The researcher used the survey
method during the data collection and it is known to be one of the most commonly used study
approaches. The survey study approach goes beyond data gathering and tabulation of data.

Page 68
However, there is no direct way of finding out what people feels, think than by asking them
directly and because of this reason the survey method was selected to represent an important
research method. Perhaps, the survey data collection method involves the classification,
application, interpretation and elevation towards appropriate understanding and solution of the
challenges.

During this research work, the researcher distributed questionnaires randomly to the
participant in various social media online platforms such as Facebook, LinkedIn and WhatsApp.
The survey was also distributed via face-to-face in Australia and other countries. A total of 120
participants was contacted with the survey and a total of 50 participant responded and
returned while the 70 participants could not participate due personal reasons are best known to
them.

Descriptive statistics was used during the data analysis of the findings. The participant
responses were analysed using simple percentages and information were drawn based on the
participant answered research questions.

4.0 Results and Discussions

1. How can IT vendors minimize the impact of zero-

day vulnerability and exploits?

6%
22%

72%

A. Software Patching A. IT security configuration A. Exposing the hackers

ANSWER CHOICES RESPONSES

Software Patching 21.88%
14
IT security configuration 71.88%
31
Exposing the hackers 6.25%
5
TOTAL 50

It is evident that IT vendors could minimize the impact of zero-day vulnerability and exploits by
having a stronger or more secure IT security configuration system as suggested by 72%
participants while 22% of participants suggested software patching and 6% participants
suggested exposing the hackers.

Page 69
 2.Who finds the hole in the software in a zero-day
vulnerability?

22% 12%

25%

41%

The customer The developer Hackers A third party that is not malicious

ANSWER CHOICES– RESPONSES–

ANSWER
Find theCHOICES–
hacker RESPONSES–
6.25%
The customer 6 12.50%
Stop data breaches 8
75.00%
The developer 30 25.00%
Think like a hacker 14
9.38%
Hackers 6 40.63%
Limit other zero-day vulnerabilities while one is ongoing 18
9.38%
A third party that is not malicious 8 21.88%
TOTAL 50 10
TOTAL 50

It is evident that the software hole in the zero-day vulnerability is first discovered by hackers as
41% of participants pointed out while 25% is the software developers then 22% the third party
that is not malicious and the rest of the 12% comes from the customers.

3. What is the first thing that a developer should try to do in the

event of a zero-day vulnerability?

10%9%6%

75%
Find the hacker
Stop data breaches
Think like a hacker
Limit other zero-day vulnerabilities while one is ongoing

It is evident that a developer should try to do in the event of zero-day vulnerability is to stop the
data breaches, as suggested by 75% of participants and 10% participants, suggested that 10% of
software developers to think like hackers while 9% of participants suggested limiting other
zero-day vulnerability while one is ongoing and 6% suggested that software developers should
find the hacker.

Page 70
 4. HOW MANY DAYS DOES A TEAM HAVE TO RESPOND TO A
ZERO-DAY VULNERABILITY?
Zero One Two Unlimited

41%
47%

6%
6%

ANSWER CHOICES– RESPONSES–

Zero 46.88%
20
One 6.25%
6
Two 6.25%
6
Unlimited 40.63%
18
TOTAL 50

It is evident that a team of software developers should respond as much as possible as they can.
The participants suggested that 47% for the zero-days, 41% for the unlimited days while 6% for
the two days and 6% for the one day.

5. WHICH ONE OF THE FOLLOWING SECURITY

CONTROLS IS MOST EFFECTIVE AGAINST ZERO-DAY
ATTACKS?
Application control Signature-based antivirus Vulnerability scans Intrusion prevention systems

2%7%

33%
58%

ANSWER CHOICES– RESPONSES–

Application control 13.89%
8

Page 71
 Signature-based antivirus 13.89%
8
Vulnerability scans 25.00%
13
Intrusion prevention systems 47.22%
21
TOTAL 50

It is evident that some security controls are more effective than the other as 58% of the
participants suggested that a vulnerability scan is more effective while 33% of participants
suggested signature-based anti-virus is effective and 7% suggested application control and 2%
intrusion prevention systems

6. IS THE VULNERABILITY REALLY A ZERO-DAY?

Alive Dead Others

37%
47%

16%

ANSWER CHOICES– RESPONSES–

Alive 46.88%
22
Dead 15.63%
9
Others 37.50%
19
TOTAL 50

It is evident that 47% participants suggested that the vulnerability really a zero-day while 37%
participants suggested that it is other and 16% participants said it is alive.

Page 72
 7. How Long Will the Vulnerability Remain
Undiscovered and Undisclosed to the Public?

1%
4%4%

91%

Less than 2 years 3 years 5 years 6 years and above

ANSWER CHOICES– RESPONSES–

Less than 2 years 75.00%
29
3 years 3.13%
5
5 years 3.13%
5
6 years and above 18.75%
11
TOTAL 50

It is evident that 91% participants accepted that the vulnerability will remain less than 2 years
undiscovered and undisclosed to the public while 4% of participants suggested 3 years and 4%
suggested 5 years while 1% suggested 6 years and above.

ANSWER CHOICES– RESPONSES–

8. WHAT IS THE LIKELIHOOD THAT OTHERS

WILL DISCOVER AND DISCLOSE THE
VULNERABILITY?
Discovered by public researcher Discovered by private researcher
Found within a Code base Found by Big Hunters

1%
32% 39%

28%

Page 73
 Discovered by public researcher 31.25%
18
Discovered by private researcher 21.88%
10
Found within a Code base 25.00%
12
Found by Big Hunters 21.88%
10
TOTAL 50
It is evident 39% discovered by public researcher said that the likelihood that others will
discover and disclose the vulnerability while 32% found within a code base and 28% discovered
by the private researcher and 1% found by big hunters.

9. WHAT FACTORS DOES THE COST TO DEVELOP

AN EXPLOIT FOR THE VULNERABILITY DEPEND?
Research Time
Exploit development time
The time to setup a test lab
The cost to purchase the appropriate infrastructure or tools

9%2%

33% 56%

ANSWER CHOICES– RESPONSES–

Research Time 37.50%
18
Exploit development time 21.88%
11
The time to setup a test lab 6.25%
6
The cost to purchase the appropriate infrastructure or tools 34.38%
15
TOTAL 50

It is evident that 56% research time is considered as one of the depended factors in developing
an exploit for vulnerability while 33% of participants said it is exploit development, 9%
participants said it is the time to setup a test lab and 2% participants said the cost to purchase
the appropriate infrastructure or tools.

Page 74
 10. WHAT IS THE AVERAGE TIME TO DEVELOP
AN EXPLOIT?
1 day minimum 6-37 days 9-55 days maximum Unknown days

4%2%

33%

61%

ANSWER CHOICES– RESPONSES–

1 day minimum 21.88%
13
6-37 days 40.63%
19
9-55 days maximum 3.13%
7
Unknown days 34.38%
11
TOTAL 50

It is evident that the average time to develop an exploit is said to be 6-37 days as suggested by
61% participants and 33% participants said 1-day minimum while 4% said 9-55 days maximum
while 2% said unknown days.

5.0 Conclusion

The results of the survey/questionnaire so far have revealed that zero-day vulnerability is still
unknown to some people while some people are aware of the zero-day vulnerability. Some
individuals who knew more were able to contact me after sending the survey links to them just
for clarification purposes before carefully opening the survey links. However, there is a need for
vendors to create awareness and educate customers or the general public on the need for zero-
day vulnerabilities. The need to keep all the phones or electronic gadgets updated all the time.

Reference
file:///C:/Users/Franklin/Downloads/zero%20day%20attacks%20security%20paper/02-
AnalyzingofZeroDayAttackanditsIdentificationTechniques.pdf (accessed on 1/11/2020)

https://files.netmediaeurope.com/it/resources/14/05/stopping_zero_day_exploits_for_dummies.pdf
(Accessed 15/11/2020)

https://csrc.nist.gov/CSRC/media/Projects/Measuring-Security-Risk-in-Enterprise-
Networks/documents/cns-final.pdf (Accessed 20/11/2020)

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2020/06/a-zero-day-guide-for-2020/
(Accessed 5/12/2020)

Page 75
 https://www.surveymonkey.com/analyze/h3VscShGy80zySkZU9lD9Dup156WaPVDGmAQGSNwtStkOw
6dSbZtvG9SeCX5_2Bi7A(Accessed 10/12/2020)

https://msrc.microsoft.com/update-guide/vulnerability/ADV200006(Accessed 7/12/2020)

Libicki, Martin C., Lillian Ablon, and Tim Webb, Defender’s Dilemma: Charting a Course Toward
Cybersecurity, Santa Monica, Calif.: RAND Corporation, RR-1024-JNI, 2015. As of January 30, 2017:

Kaur, R.; Singh, M., "Efficient hybrid technique for detecting zero-day polymorphic worms," Advance
Computing Conference (IACC), 2014 IEEE International, pp.95-100, 21-22 Feb. 2014.

http://www.rand.org/pubs/research_reports/RR1024.html

https://www.forcepoint.com/cyber-edu/zero-day-exploit

https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/security-101-zero-
day-vulnerabilities-and-exploits

Page 76

View publication stats