This document introduces two foundational security concepts that are important for all WordPress website administrators to understand. As you secure your WordPress website, you will encounter zero day vulnerabilities and how they and other non-zero day vulnerabilities are disclosed. It’s important for you to understand the seriousness of zero day vulnerabilities and how they are normally disclosed so that you can quickly and effectively secure your site against them.
In the 1990’s, there was a software piracy scene that was called the ‘warez’ scene. It was groups of people that shared commercial software illegally using modems. The scene still exists today but uses BitTorrent and other more modern technologies. Back then, modems were slow and transferring pirated software took a long time.
The software would be posted to bulletin boards for members to download. It would be categorized into ‘Days’. One Hundred Day would mean that 100 days have elapsed since the software was released to the public. ’30 Day’ would mean 30 days have elapsed, so software in this category was newer. The most sought after was ‘Zero Day’. This was software that had not yet been released to the public. Often this software was acquired by hacking into a company’s network and stealing their unreleased software, or by an insider who stole the software before release. For this reason the hacking and warez scenes were closely linked.
The modern security industry has borrowed the term ‘zero day’ from the 1990s warez scene to indicate a security hole in software, where the vendor of that software has had ‘zero days’ to fix the problem. So, for example if you have a ‘zero day’ vulnerability in Adobe Flash, it means that Adobe has not yet been made aware of the security problem and there are likely millions of people running a version of Adobe Flash that has this security hole.
Today when speaking in person to security professionals you’ll often hear them pronounce ‘zero day’ as 0Day which is pronounced ‘Oh Day’. So if you want to seem hip, make sure you stick with the correct pronunciation.
Important To Note: When you hear about a new Zero Day in WordPress or a theme or plugin, you need to pay careful attention. Immediately check to see if there is a fix available. If not you should consider disabling and removing the software that contains the Zero Day if this is feasible without stopping your operations. Then contact the vendor and ask them when a fix will be released. Once you’ve done that, keep a close eye on vendor announcements so that as soon as a fix for the Zero Day is released, you can apply it and know that your website is secure again.
A “forever day” vulnerability is one where the vendor won’t fix the vulnerability. This usually happens because the vendor or original author is no longer maintaining the software. They may no longer be in business or the author may have moved on and abandoned the project.
You can avoid ending up with Forever Day vulnerabilities in your systems by using software that is actively maintained.
The Window of Vulnerability is the time between when a vulnerability becomes known to an individual, a group or the general public and when a fix is released by a vendor. The way vulnerabilities are discovered, disclosed and fixed varies between platforms and communities, but in general the sequence of events is as follows:
Zero Day vulnerabilities are not always reported by researchers. The Stuxnet worm, which targeted industrial control systems in Iran’s Uranium enrichment infrastructure exploited four separate Zero Day vulnerabilities. The Office of Personnel Management breach in 2014 used a Zero Day to gain access and this hack has been attributed to China.
Zero Day vulnerabilities are the equivalent of digital weapons in a Cyber War scenario. Stockpiling Zero Days is useful if you need a large toolkit to attack target networks. The United States National Security Agency has been accused by the Electronic Frontier Foundation of hoarding Zero Day vulnerabilities.
While Zero Day vulnerabilities are more serious than known vulnerabilities, there are various methods one can use to protect against them.
You can read more about Zero Day detection techniques at sans.org where they’ve published a PDF on the subject (2014).
The way the public is told about vulnerabilities is called ‘disclosure‘ or ‘vulnerability disclosure‘. It is a controversial subject and is constantly being debated. Most vulnerabilities that are disclosed publicly are discovered by security researchers. The steps they take to disclose a vulnerability to the vendor (software maker) and then the public are usually as follows:
You might ask why a researcher would want to release the full details of a security hole or vulnerability to the public at all. Security researchers make their living through consulting and selling security products and services. Doing security research costs them time and resources. They need to be compensated for this investment and by announcing to the world that they discovered an important vulnerability it helps market their products and services. Releasing full technical details of a vulnerability by a researcher illustrates the great work that they’re capable of and helps them cover their expenses, make a living and helps fund future research.
Important to Note: You can see the newest announced vulnerabilities by subscribing to email lists like ‘Full Disclosure’. Sometimes vulnerabilities are not shared with a vendor and are simply released to the public as a Zero Day. When this happens you are in a situation where an active Zero Day is ‘in the wild’ (known to hackers) and a fix is not available. Deal with these as you would with any Zero Day vulnerability (see above). Researchers may also not give vendors much time to fix a vulnerability before announcing it to the public. In this case you need to immediately upgrade to the newest version of the affected software as soon as a fix is released to minimize risk to your website.
The most prolific source of WordPress vulnerability disclosure is the “Full Disclosure” mailing list. It’s also the most likely place to find a Zero Day disclosed without vendor notification. If you are a WordPress site admin concerned with security, I would encourage you to subscribe, but be forewarned that the list is noisy and does include vulnerabilities for many other platforms and applications besides WordPress. Use your email filters accordingly.
US-CERT runs the National Cyber Awareness System and has several mailing lists you can choose from. I would encourage you to subscribe to Bulletins at a minimum which includes a weekly vulnerability summary.
You can also subscribe to our WordPress Security Mailing List where we announce serious vulnerabilities.
Exploit-DB is a web based database of vulnerabilities and you can often find newer WordPress vulnerabilities published there.
WPVulnDB.com contains a collection of WordPress core, plugin and theme vulnerabilities from around the Web.
The BugTraq Mailing list hosted by securityfocus.com (Now owned by Symantec) is legendary in the security industry. It has been around since 1993 and is an excellent source for the newest vulnerability disclosures. You can subscribe by emailing firstname.lastname@example.org.