Log in
Enquire now
Zero-day (computing)

Zero-day (computing)

A zero-day is a computer software vulnerability that is either unknown to those interested in mitigation, including the vendor of the software, or is known and a patch has not been developed. An exploit of a zero-day is called a zero-day exploit or zero-day attack.

OverviewStructured DataIssuesContributors
Overview

A zero-day vulnerability is a flaw—an unknown exploit that exposes a vulnerability in software or hardware—and can create complicated problems before it is detected. Often, the exploits of zero-day vulnerabilities leave no opportunity for detection. This is generally as a software or hardware vendor releases a product that contains a vulnerability, and the threat actor is able to spot the vulnerability either before the developer does or acts on it before the developer has a patch for it. Once an exploit is released, however, it can be recognized in the form of identity or information theft, or the developer can catch it and create a patch. Sometimes this process can take months or years before the developer learns of a vulnerability that led to an attack.

The term zero-day refers to the newly discovered vulnerability and the lack of time a developer has to fix the problem through either an update or a patch.

Vulnerability vs. exploit vs. attack

Often, zero-day is combined with vulnerability, exploit, and attack. The differences are:

  • A zero-day vulnerability is a software vulnerability discovered by attackers before the vendor has become aware of it
  • A zero-day exploit is the method used to attack systems with an unidentified vulnerability.
  • A zero-day attack is the use of a zero-day exploit to cause damage or steal data from a system affected by the vulnerability.
Zero-day vulnerability

Zero-day vulnerabilities are unknown security flaws or bugs in software, firmware, or hardware that the vendor does not know about, or does not have an official patch or update to address. Often the vendors and users are not aware of the existence of a vulnerability unless it is reported by a researcher or discovered as the result of an attack.

Software vulnerabilities will often be discovered by security companies, security researchers, the software vendors themselves, and users. If these entities discover the vulnerabilities, they will inform the vendor in order to allow them to update or patch the vulnerability before publishing their results. Whereas, in the case of a vulnerability being discovered by a hacker, they will often be kept secret for as long as possible in order to be exploited for as long as possible.

Examples of previous zero-day vulnerabilities and related attacks

Software
Description of vulnerability/attack
Year

Apple iOS

The mobile operating system had at least two sets of zero-day vulnerabilities, including a zero-day bug that allowed hackers to compromise iPhones remotely

2020

Facebook

In 2019, detailed information of 540 million Facebook users was left publicly viewable after a zero-day exploit. Facebook confirmed at the time that the data had been scraped due to a vulnerability that the company later patched. However, in 2021, the same vulnerability led to the leak of 533 million Facebook users information.

2019-2021

Google Chrome

Google's Chrome suffered a series of zero-day threats, causing Chrome to issue updates. The vulnerability stemmed from a bug in the V8 JavaScript engine used in the web browser.

2021

LinkedIn

LinkedIn reported that it had been hit by a zero-day attack affecting 700 million users. The hacker involved advertised the data of LinkedIn users for sale with samples of the information that was real and up to date as of June 2021.

2021

Microsoft Windows, Eastern Europe

This attack focused on local escalation privileges, a part of Microsoft Windows, and targeted government institutions in Eastern Europe. The zero-day exploit used a local privilege vulnerability in Microsoft Windows to run arbitrary code and install applications and view and change data on compromised applications.

2019

Process of zero-day attacks

The typical zero-day attack looks very similar. It tends to start with a vulnerability in a piece of software, which subsequently is released and a hacker finds the vulnerability. The hacker is able to create a zero-day exploit to take advantage of the vulnerability, and deploys it while the vulnerability still exists. At any point in this timeline, the vulnerability can be discovered by the vendor, either because an attack was detected, or because it was reported by a security or research team engaging with the software. At this point, though, they often do not have a fix for it, and until the software is patched, the vendor or security researchers disclose the vulnerability and users are warned of the dangers. Following this, often antivirus signatures are released in the event zero-day malware is being used, allowing security vendors to identify its signatures and update definitions to provide protection. Finally, the vendor develops a patch or update to close the vulnerability, which it works to push out to the userbase as fast as possible.

The vectors of the possible attacks can include users visiting rogue websites, which can contain malicious code capable of exploiting vulnerabilities in web browsers—often a popular target because of their widespread distribution and use. Others can send malicious e-mail attachments, which work to exploit vulnerabilities in the application opening the attachment. And exploits can take advantage of common files, which have included exploits appearing in databases like US-CERT. These exploits can be engineered to take advantage of file type exploits in order to compromise attacked systems or steal data.

Detection

Zero-day exploits can be difficult to detect. Some intrusion detection systems and anti-malware software and intrusion prevention systems are ineffective because a zero-day exploit does not have an attack signature. This means, the best way to detect a zero-day attack is user behavior analytics. This includes monitoring the certain usage and behavior patterns considered normal of different entities authorized to access networks. Behaviors falling outside of the normal scope of operations can be an indicator of a zero-day attack.

Furthermore, real-time visibility can enable security, IT operations, and networking teams to model and understand the normal traffic and application behavior. This can help those teams detect new connectivity and unusual failed attempts to connect to a workload, all of which can be indicators of an attack. Furthermore, the use of micro-segmentation can be a preventative control, and limits the pathways of an exploit to make it harder to exploit a network. This segmentation can also offer a view into the traffic between workloads and users and limit them to specific ports, protocols, and services.

Protection

Users can protect themselves against zero-day attacks and exploits through the practice of good security practices, which cannot in themselves protect against a zero-day vulnerability, but can reduce the chances of an organization being compromised. These include:

  • Keeping patches up to date and staff aware of best practices to reduce the chance of a chain of attacks that can exploit multiple vulnerabilities. This can reduce the chance that a server affected by a zero-day vulnerability can also breach firewalls.
  • Keep watching for intrusions, as watching for suspicious activity of any kind can alert users to recognize a vulnerability through a network and the possible exfiltration of a network.
  • Lock down networks, as any device in a network or company could harbor a zero-day vulnerability, but a network infrastructure can limit an attacker's ability to move from computer to computer. Easy to isolate compromised systems can limit the damage an attack can do
  • Back up data, as when a zero-day attack occurs it can knock some systems offline and damage or erase data, but frequent data backups can ensure a victim can recover as much as possible
Targets of zero-day exploits

Hackers with zero-day exploits often go after bigger, high-value targets, when compared to those operating with other malware. However, this does not mean that individual users will not be affected by zero-day attacks. Often, individuals end up being collateral damage or used for the grander scheme of the specific attack. Non-targeted attacks of this kind tend to affect as many users as possible, and it means all individuals data is as valuable as any other individuals. These include targets such as:

  • Government agencies
  • Large businesses and organizations
  • Individuals with access to high-value information, such as confidential business data
  • Software with large numbers of users, such as operating systems or browsers
  • Large groups of individual users for use in botnets
  • Hardware including IoT devices and the associated firmware
  • Political targets and national security threats

Timeline

No Timeline data yet.

Further Resources

Title
Author
Link
Type
Date

How we protect users from 0-day attacks

Maddie Stone

https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/

Web

July 14, 2021

The Ultimate Guide to Zero-Day Attacks & Exploits

https://www.thesslstore.com/blog/the-ultimate-guide-to-zero-day-attacks-exploits/

Web

March 1, 2021

What are zero-day attacks?

https://www.bullguard.com/bullguard-security-center/pc-security/computer-threats/what-are-zero-day-attacks.aspx

Web

What is a zero day? A powerful but fragile weapon

https://youtu.be/Eyq7TLai-8g

Web

March 11, 2020

What is a zero day? Definition, examples, and defense

Josh Fruhlinger

https://www.csoonline.com/article/3284084/zero-days-explained-how-unknown-vulnerabilities-become-gateways-for-attackers.html

Web

April 12, 2021

References

Find more entities like Zero-day (computing)

Use the Golden Query Tool to find similar entities by any field in the Knowledge Graph, including industry, location, and more.
Open Query Tool
Access by API
Golden Query Tool
Golden logo
By using this site, you agree to our Terms of Service.