The frequency of zero-day exploits, which present unique challenges due to their novelty, has risen precipitously in 2013 and challenged many application control strategies, with major software platforms like Java, Adobe Flash and Acrobat and Microsoft Internet Explorer falling victim to sophisticated attacks. With the knowledge that governments and organizations will pay premiums for access to information about zero-day exploits, hackers have in turn created a market to sell such data.
Zero-day exploits can result in the quick and voluminous loss of confidential information and intellectual property, since they are impervious to many commonly used security tools. Antivirus tools, firewalls, gateway and intrusion prevention systems are all susceptible to zero-day attack. A recent catalog of incidents examined some specific exploits, which included an attack delivered via malicious PDF link and one that utilized a loophole in Flash to facilitate denial of service and memory corruption strategies. A pair of Java exploits permitted delivery of chargeware and full-scale takeover of a user's operating system.
With immunity from many types of computer monitoring software, zero-day exploits may need to be combated with more astute update and patching strategies, as well as sensitivity to the types of websites and files with which a user interacts. Sites that host malware remain one of the most popular mechanisms of zero-day exploits, underscoring the need for greater awareness while browsing.
The market for zero-day exploits
While cyber criminals continue to discover vulnerabilities, governments and businesses may have been encouraging them by offering to pay high prices for access to zero-day information. The average zero-day exploit lasts for 312 days and permits deep access to sensitive data of competitors or other countries. Exploits may target simple vulnerabilities, such as discovering that a password prompt can be bypassed with the Enter key on a keyboard, or advanced capabilities like code execution in Microsoft Office.
Whereas hackers may once have offered free access to zero-day exploit information to software companies and governments, many of them now demand a fee. Google and Mozilla have both set up bounty programs that reward investigators who can identify critical vulnerabilities, and there are now complex broker networks that connect hackers with potential buyers and charge a 15 percent fee. Typical buyers include intelligence services from the Middle East and countries like Russia, India and the U.K. On the seller side, startups in the military contracting space have used heightened concern about zero-day exploits to sell information and challenge industry leaders.