Three questions and answers: Where zero-day gaps lurk – and how to detect them

Zero-day exploits are the terror of the IT world. They exploit unknown vulnerabilities so that signature-based malware scanners don't stand a chance. However, there is a whole range of methods and tools to detect potential vulnerabilities in your own source code. We spoke to Jonas Hagg, cover author of the new iX and penetration tester, about zero-day threats.

Im Interview: Jonas Hagg

Jonas Hagg ist Penetrationstester bei der Oneconsult Deutschland AG. Er beschäftigt sich mit aktuellen Sicherheitsproblemen in Webanwendungen und APIs.

Where are the most dangerous undiscovered gaps lurking?

In the components of the operating systems used daily by millions of users – Windows, Android, iOS and macOS as well as the Linux-based systems that are often used as servers. An undiscovered vulnerability in these systems affects so many devices that it is particularly valuable to attackers.

If they are undiscovered and possibly in external components, is there any chance of detecting them?

In principle, yes. As shown with the XZ vulnerability, such problems can sometimes even be detected without having to analyze the source code first. However, detecting security vulnerabilities in components that are not publicly accessible is very time-consuming and requires even more time, patience and expertise than uncovering vulnerabilities in open source projects.

What should you do once you have found a vulnerability?

Ideally, you should follow the principle of responsible disclosure. This means that the manufacturer is first informed of the vulnerability to give them time to develop and publish a patch. Only after a reasonable period of time should the public be informed about the vulnerability. If you are unsure about the process and the legal framework (e.g. the hacker paragraph), the German Federal Office for Information Security (BSI) or the Chaos Computer Club can provide support.

Mr. Hagg, thank you very much for your answers! Readers can find a detailed overview of zero-day vulnerabilities as well as methods and tools that can be used to detect vulnerabilities in the new iX 11/2024, which is now available at newsstands and in the heise Shop.

In the series "Three questions and answers", iX aims to get to the heart of today's IT challenges – regardless of whether it is the user's view in front of the PC, the manager's view or the everyday life of an administrator. Do you have any suggestions from your day-to-day work or that of your users? Whose tips on which topic would you like to read in a nutshell? Then please write to us or leave a comment in the forum.

(fo)