WHAT IS THE ZERO-DAY VULNERABILITY ?

-
WHAT IS THE ZERO-DAY VULNERABILITY 

A zero-day vulnerability is a previously unknown flaw in a computer program that exposes the program to external manipulation. Zero-day vulnerabilities have been found in many OS & programs, including Chrome, Internet Explorer, Adobe, and Apple products. Zero-day vulnerabilities also appear in software running critical infrastructure, such as power plants. What differentiates a zero-day from other computer vulnerabilities, and what makes it valuable, is that it is unknown to the software’s makers and users. Whoever has knowledge of a zero-day can exploit it from the “zero-th” day of its discovery, until the software maker or users learn of it and fix the vulnerability. What makes a zero-day vulnerability different from other cyber tools is that it is simply information. A zero-day encapsulates the knowledge that X could happen if you do Y. As Auriemma and Ferrante of ReVuln, a zero-day seller, argue, “we don’t sell weapons, we sell information.” Other companies, however, do sell weaponized vulnerabilities – zero-day “exploits” – that contain new software code taking advantage of a zero-day vulnerability. Desautels, of vulnerability-seller Netragard, states Netragard sells exploits. Zero-day exploits range in complexity and functionality, from enabling access to, monitoring, extracting information from, or damaging a software program. For instance, the Stuxnet program allegedly used by the United States to damage uranium-enrichment Iranian centrifuges made use of four zero-day vulnerabilities.
The term zero-day “vulnerability” describes the software flaw itself. When a zero day vulnerability is sold, knowledge of the flaw is sold. The press often uses the term zero-day “exploit” interchangeably to describe knowledge of a flaw or new software code exploiting a flaw. In this article, the term “exploit” refers only to new code written to take advantage of a zero-day vulnerability. Although turning a vulnerability into an exploit can be relatively easy, motivations for finding and exploiting vulnerabilities often differ. For instance, cybersecurity researchers have less motivation to turn vulnerabilities into exploits than someone selling or buying zero-days. This distinction between a zeroday vulnerability and exploit, and the different groups interacting with them, is important to make when analyzing regulatory options for the zero-day vulnerability trade. Vulnerabilities are most exploitable if kept secret. Zero-days are discovered and not made, so there is no guarantee someone in possession of a vulnerability is the only person who knows about it. The value of secrecy complicates efforts to control the zero-day trade because it contributes to market opacity and lack of transparency about buyer and seller behavior.
Zero-days are traded in three markets. As defined in this article, the “white market” encompasses sales of vulnerabilities between zero-day vulnerability hunters and software vendors or third-party clearinghouses. The “black market” describes interactions where the buyer or the seller has criminal intent. The “grey market” involves interactions between vulnerability sellers and government agencies conducted as legal business deals. It also encompasses sales between vulnerability sellers and legal users of zero-day vulnerabilities, including high-end cybersecurity firms. This article distinguishes between “legal” and “legitimate” zero-day vulnerability markets. White-market and gray-market transactions are legal, and black market transactions illegal. The negative security ramifications of the grey market mean this article designates only white-market options legitimate. Grey-market firms, rather than freelance hackers, now sell more than half of zero-day vulnerabilities. NSS Labs included many of the firms in its market analysis, and concluded that “half a dozen boutique exploit providers have the capacity to offer more than 100 exploits per year, resulting in privately known exploits being available on any given day,” at minimum. One seller identified the decreased risk of getting ripped off, the possibility of job offers, and stable contracts with government or industry clients as reasons vulnerability hunters choose to operate on the grey market.

Comments

Post a Comment

Popular posts from this blog

What to do when police does not take your FIR?

-
Image
What to do when FIR is not taken by the Police ? A First Information Report is the first legal document that initiates criminal proceedings. The first information received about the commission of a cognizable offense has to be noted down by a Police Officer. It is called as  First Information Report under Section 154 of CRPC. Cognizable and Non-Cognizable Offences: Cognizable offences  are offences where the police can arrest the accused without any warrant. In such offences, the police can Suo-moto take cognizance of the offence and it does not require any sanction from the court in order to begin the investigation. On the other hand,  Non-Cognizable  offences are those in which police cannot make an arrest without taking prior assent from the court. Schedule I of the Criminal Procedure Code clearly distinguishes which offenses are cognizable and which are not. According to section 154(1) of the Criminal Procedural Code,  an FIR can be filed only in cognizable offenses.  Schedule 1 of
Read more

Consumer Dispute resolution under the Telecom Act 2023

-
Image
The Telecommunications Act of 2023 has strengthened the dispute resolution framework by introducing an online grievance redressal system. The aim is to expedite the resolution of conflicts between telecommunications companies and consumers while ensuring transparency in the redressal process. Following an inquiry, a telecom company found violating license or service terms may incur severe penalties, spectrum holdings cancellation, service restrictions, or even be prohibited from providing telecom services, depending on the seriousness of the breach.  How does the online grievance redressal system operate, and who plays key roles?   An Adjudicating Officer (AO), appointed by the Centre and not below the rank of joint secretary, will conduct inquiries to resolve disputes between telecom service providers and consumers. Additionally, a separate Designated Appeals Committee (DAC) will be formed, consisting of officers at the rank of additional secretaries. Individuals dissatisfied with an
Read more

When can Police Arrest you in Cyber crime: Explanation with Case Laws

-
Image
Arrest by Police in cyber crime cases By Adv (Dr.) Prashant Mali Cyber crime is a reality but personal liberty is a fundamental human right and a cornerstone of the social structure.  Arrest brings humiliation, curtails freedom and cast scars forever. Its deprivation is a matter of grave concern.  The law of arrest is one of balancing individual rights, liberties and privileges,on the one hand, and individual duties, obligations and responsibilities on the other. The police officer can , without an order/warrant from a Magistrate, arrest a person in respect of a cognizable offence punishable with imprisonment exceeding 7 years without mentioning any ' special reasons '. The problem arises when it comes to arrest of a person who is accused of an offence which is punishable up to 7 years. The Hon’ble Apex Court in Arnesh Kumar v. State of Bihar, (2014) 8 SCC 273 held; Our endeavour in this judgment is to ensure that the police officers do not arrest the accused unnecessarily and
Read more