Zero days

The issue

A zero-day (also known as zero-hour or 0-day) vulnerability is an undisclosed computer-software vulnerability that hackers can exploit to adversely affect computer programs, data, additional computers or a network.

It is known as a "zero-day" because it is not publicly reported or announced before becoming active, leaving the software's author with zero days in which to create patches or advise workarounds to mitigate its actions. In effect, zero time has passed since the exploitable bug's existence was disclosed. Similarly, an exploitable bug that has been known for thirty days is sometimes called a 30-day exploit.

zero-day

The fewer days the bug has been known about, the higher the chances that it has no fix or mitigation. The more recently the exploit was published, the higher the probability that an attack on a particular afflicted instantiation of software will be successful, because even if there is a patch, not every user of that software will have applied it. For zero-day exploits, the probability that a user has patched their bugs is of course zero.

Attacks employing zero-day exploits are often attempted by hackers before or on the day that notice of the vulnerability is released to the public; sometimes before the author is aware or has developed and made the corrected code available. Zero-day attacks are a severe threat.

The solution

The security architecture of Hdiv protects the application against most Zero-Day vulnerabilities before they are even detected. This is achieved by reducing exposure to them thanks to the strong application contract protection. Hdiv applies the least privilege principle, permitting users to do only what they are expected to do. This technique prevents most zero-day exploits because malicious client-side attackers cannot create new parameters, modify any server-side data, or change URLs, therefore complicating the exploitation of these security bugs.

Examples of Zero-Day exploits prevented by Hdiv from the very beginning could be:

  • The vulnerability detected in Spring Web Flow that allows remote command execution CVE-2017-4971
  • Several critical vulnerabilities discovered in Spring Security that could allow an attacker to obtain access to protected resources such as CVE-2016-5007 or CVE-2016-9879