Some zero-day vulnerabilities are exploited actively. How does this happen? How often does this happen? How do so many hackers get to know about the same vulnerability?
Asked
Active
Viewed 232 times
2 Answers
2
People look for new, undisclosed vulnerabilities. That's how they become zero-days. Then, once they find them, they exploit them. Then, they often share what they found with their friends, or sell the info on the black market.
This is all available for you to know if you perform a little research, like on wiki: https://en.wikipedia.org/wiki/Zero-day_(computing)
schroeder
- 123,438
- 55
- 284
- 319
-
But how are they exploited at such large scales – Dec 26 '16 at 14:00
-
like so many hackers know the same vulnerbility. all of them arent friends. – Dec 26 '16 at 14:24
-
I already mentioned that in my answer: it is sold. And you are not thinking large enough when I say 'friends'. Imagine a Russian crime syndicate, or the Chinese Army finding a zero-day. That's a lot of people all exploiting the same vulnerability. – schroeder Dec 26 '16 at 15:58
-
So white hats don't discover 0day? I guess by your definition the work of project zero makes google a blackhat. I get that op was asking about exploitation in the wild, but I feel like it's important to clarify that 0day applies to all undisclosed bugs, and it's not an "evil" term – wireghoul Jan 23 '17 at 13:06
-
@wireghoul given the definition of "0day" from wiki, the defining characteristic is that it is undisclosed yet exploited. My wording does not preclude whitehats doing work. – schroeder Jan 23 '17 at 17:38
-
"Once they find them they exploit them" seem rather at odd with whitehats is all :) – wireghoul Jan 23 '17 at 19:32
-
@wireghoul right, not surprising if the whitehat wants to compose a PoC or further documentation. Find the vuln, do not disclose, and exploit in order to document. – schroeder Jan 23 '17 at 21:56
1
Day 0 can be very, very long
When you're talking about zero-day vulnerabilities, the days start counting from public disclosure of the vulnerability. Assuming that a "black hat" discovers the vulnerability, it can be used on many targets (possibly for multiple years) before it's disclosed.
Furthermore, if a vulnerability is discovered "in the wild", then it's quite likely that an exploit is available to the public on the same day, but a fix or workaround is not yet developed. People with a motivation to attack particular targets are constantly monitoring this information, and would reasonably apply a useful vulnerability on the same day as it's available, since the actual exploit is just a small part of an attack or botnet and they can have the rest of the infrastructure and target information prepared and waiting for the time when a new vulnerability inevitably appears.
Peteris
- 8,369
- 1
- 26
- 35