Using sophisticated techniques to detect weaknesses in widely used programs like Google Chrome, Java, and Flash, they spend hours crafting “zero-day exploits”—complex codes custom-made to target a software flaw that has not been publicly disclosed, so they can bypass anti-virus or firewall detection to help infiltrate a computer system.
Like most technologies, the exploits have a dual use. They can be used as part of research efforts to help strengthen computers against intrusion. But they can also be weaponized and deployed aggressively for everything from government spying and corporate espionage to flat-out fraud. Now, as cyberwar escalates across the globe, there are fears that the burgeoning trade in finding and selling exploits is spiralling out of control—spurring calls for new laws to rein in the murky trade.
Some legitimate companies operate in a legal gray zone within the zero-day market, selling exploits to governments and law enforcement agencies in countries across the world. [Blog Editor’s Note: Clearly this article was written long before the June 2013 NSA leaks by Edward Snowden showed how pervasive a threat has been posed by NSA extra-judicial surveillance tactics]. Authorities can use them covertly in surveillance operations or as part of cybersecurity or espionage missions. But because sales are unregulated, there are concerns that some gray market companies are supplying to rogue foreign regimes that may use exploits as part of malicious targeted attacks against other countries or opponents. There is also an anarchic black market that exists on invite-only Web forums, where exploits are sold to a variety of actors—often for criminal purposes.
- Zero Day Exploit (helphow2do.wordpress.com)
- New zero-day vulnerabilities found in Adobe Flash Player (reviews.cnet.com)
- NSA purchased zero-day exploits from French security firm Vulpen (zdnet.com)
- Russian Hacker put up an Android Firefox Zero-Day Exploit for Sale (hackingnewideas.wordpress.com)
- NSA contracted to buy malware from French hacker company (dailydot.com)