What is a zero-day (computer)?
A zero-day is a security flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. The term zero-day vulnerability refers to the flaw itself, while zero-day attack refers to an attack that has zero days between the time the vulnerability is discovered and the first attack. Zero-day exploit refers to the method or technique hackers use to take advantage of a vulnerability -- often via malware -- and execute the attack.
Once a zero-day vulnerability has been made public, it is known as an n-day or one-day vulnerability.
Ordinarily, when someone detects that a software program contains a potential security issue, that person or company will notify the software company (and sometimes the world at large) so that action can be taken.
Given time, the software company can fix the code and distribute a patch or software update. Even if potential attackers hear about the vulnerability, it may take them some time to exploit it; meanwhile, the fix will hopefully become available first.
Sometimes, however, a malicious hacker may be the first to discover the vulnerability. Since the vulnerability isn't known in advance, there is no way to guard against the exploit before an attack happens. Companies exposed to such exploits can, however, institute procedures for early detection.
Ethical security researchers try to cooperate with vendors and usually agree to withhold all details of zero-day vulnerabilities for a reasonable period before publishing those details.
For example, Google's Project Zero -- a team of security researchers that studies zero-day vulnerabilities -- follows industry guidelines, giving vendors up to 90 days to patch a typical vulnerability before publicly disclosing the flaw. If criminals are actively exploiting a zero-day vulnerability, however, Project Zero may reduce the response time to seven days or less.
Zero-day exploit detection
A zero-day exploit tends to be difficult to detect. Antimalware software, intrusion detection systems (IDSes) and intrusion prevention systems (IPSes) can't recognize the attack signature because one doesn't yet exist.
This is why the best way to detect a zero-day attack is user behavior analytics. Most of the entities authorized to access networks exhibit certain usage and behavior patterns that are considered to be normal. Activities falling outside of the normal scope of operations could be an indicator of a zero-day attack.
For example, a web application server normally responds to requests in specific ways. If outbound packets are detected exiting the port assigned to that web application, and those packets do not match anything that would ordinarily be generated by the application, it is a good indication that an attack is happening.
Zero-day exploit period
Some zero-day attacks have been attributed to advanced persistent threat (APT) actors, including hacking or cybercrime groups affiliated with or part of national governments. Experts believe attackers, especially APTs or organized cybercrime groups, reserve their zero-day exploits for high-value targets.
N-day vulnerabilities continue to live on and are subject to exploits long after vendors have released corrective software patches. For example, in 2017, a vulnerability in the Apache Struts web framework was reported and a patch released. The credit bureau Equifax, however, failed to implement the patch. Later that year, attackers exploited the unpatched vulnerability, resulting in a breach.
Likewise, researchers continue to find zero-day vulnerabilities in the Server Message Block protocol, implemented in the Windows OS for many years.
Once a zero-day vulnerability is made public and a patch released, users should update their systems accordingly. Many fail to do so, however, and attackers continue to exploit the vulnerabilities for as long as unpatched systems remain exposed on the internet.
Defending against zero-day attacks
Zero-day exploits are difficult to defend against because they are so difficult to detect. Vulnerability scanning software relies on malware signature checkers to compare suspicious code with signatures of known malware; when the malware uses a zero-day exploit that has not been previously encountered, such vulnerability scanners will fail to block the malware.
Since, by definition, a zero-day vulnerability can't be known in advance, there is no way to guard against a specific exploit before it happens. However, there are some things that companies can do to reduce their level of risk exposure. These include the following:
- Use virtual local area networks to segregate some areas of the network or use dedicated physical or virtual network segments to isolate sensitive traffic flowing between servers.
- Implement IPsec, the IP security protocol, to apply encryption and authentication to network traffic.
- Deploy an IDS or IPS. Although signature-based IDS and IPS security products may not be able to identify the attack, they may be able to alert defenders to suspicious activity that occurs as a side effect to the attack.
- Use network access control to prevent rogue machines from gaining access to crucial parts of the enterprise environment.
- Lock down wireless access points and use a security scheme such as Wi-Fi Protected Access 2 for maximum protection against wireless-based attacks.
- Keep all systems patched and up to date. Although patches will not stop a zero-day attack, keeping network resources fully patched may make it more difficult for such an attack to succeed. When a zero-day or n-day patch does become available, apply it as soon as possible.
- Perform regular vulnerability scanning against enterprise networks and lock down any vulnerabilities that are discovered.
While maintaining a high standard for cybersecurity hygiene may not prevent all zero-day attacks, it's the best line of defense against unrecognizable exploits.
Examples of zero-day attacks
Multiple zero-day attacks commonly occur each year.
In 2016, for example, there was a zero-day attack (CVE-2016-4117) that exploited a previously undiscovered flaw in Adobe Flash Player. Also in 2016, more than 100 organizations succumbed to a zero day bug (CVE-2016-0167) that was exploited for an escalation of privilege attack targeting Microsoft Windows.
In 2017, a zero-day vulnerability (CVE-2017-0199) was discovered in which a Microsoft Office document in rich text format was shown to be able to trigger the execution of a visual basic script containing PowerShell commands upon being opened. Another 2017 exploit (CVE-2017-0261) used encapsulated PostScript as a platform for initiating malware infections.
The Stuxnet worm was a devastating zero-day exploit that targeted supervisory control and data acquisition (SCADA) systems by first attacking computers running the Windows operating system. Stuxnet exploited four different Windows zero-day vulnerabilities and spread through infected USB drives, making it possible to infect both Windows and SCADA systems remotely without attacking them through a network. The Stuxnet worm has been widely reported to be the result of a joint effort by U.S. and Israel intelligence agencies to disrupt Iran's nuclear program.
Nation-state attackers are increasingly targeting zero-day vulnerabilities, according to the Microsoft "Digital Defense Report 2022." The researchers attributed many of the recent zero-day exploits to China, in particular.