One of the terms I’m most often asked to explain is what a “zero day” vulnerability or exploit is; let’s look at what that phrase entails.
If you’re not one to spend hours of your day reading articles about computer security, certain unintuitive terms may make you scratch your head. One of the terms I’m most often asked to explain is what does zero day mean; let’s look at what that phrase entails.
At ESET, we define a Zero-day as
A new, unpatched vulnerability which is used to perform an attack. The name “zero-day” comes from the fact that no patch yet exists to mitigate the vulnerability being exploited. Zero-days are sometimes used in trojan horses, rootkits, viruses, worms and other kinds of malware to help them spread to and infect additional computers. Also spelled as “zeroday”, “0day” and “0-day.” (source: ESET Virus Radar Glossary)
But what exactly does that mean? Before we delve into the “zero day” modifier, let’s start by examining exactly what it means when we talk about vulnerabilities and exploits.
What a tangled web we weave
You can think of computer software as being structured like a screen door: it’s comprised of millions of lines of code, woven together. Except that in the case of software the interlocking of those threads is usually quite complicated; instead of a simple weave, it can look more like a plate of spaghetti. This can naturally make it more difficult for people to search for weak spots within the code. Even automated checking tools sometimes have trouble analyzing it.
Simply put, software is written by humans. Humans are fallible and sometimes fail to check every possible permutation of the ways in which people might use their code. Sometimes, through either thorough research or accidental misuse, one of those weak spots in the weave may be discovered. Those weak spots are what we call a ”vulnerability” in the software.
When a vulnerability occurs, the weak spot it creates can create strange behavior in programs. When someone discovers the presence of a vulnerability, that strange behavior can be used to make a hole that attackers could use to get into to run their own, malicious code on your machine. Sometimes that strange behavior may just cause the program to crash. There are a variety of possible outcomes, depending on the particular error. The code they use to create that hole or cause the crash is meant to exploit the vulnerable area in the software. This is why it is called exploit code, or an “exploit” for short.
How many days?
So, now that you know what vulnerabilities and exploits are, what is the “zero day” part about? How do you count zero days? Until a software vendor releases a patch that fixes a vulnerability, it is considered a “zero day” vulnerability. If there is exploit code available for that vulnerability, it’s a “zero day” exploit. “Zero”, in this case, counts the number of days since a patch has been available to the public.
Ideally it would be a researcher, with the public’s best interest at heart, who is disclosing the vulnerability to the software vendor and problems would be fixed before anyone got hurt. In the real world, sometimes it’s a malware author that discovers the problem, and the results are naturally more problematic for those of us who use that vulnerable software, not least because malware authors are not usually considerate enough to share information about the vulnerability with the software vendor. In this case, the vendor is usually notified about the problem after a malware researcher receives a sample of a threat exploiting that vulnerability. This was the case with the three recent Adobe vulnerabilities, when malware authors took advantage of the vulnerabilities to attack people’s machines.
It is also worth noting that a vendor releasing a patch does not mean the end of malware authors’ activity for that vulnerability. Because they know that people often postpone updating for days, weeks, or even years, they may even increase their use of known, patched vulnerabilities. As long as the exploit continues to give a good return on investment, they will continue to use it.
In short, “zero-day” means a problem that has not yet been fixed. This is part of why we recommend a layered defense strategy. One never knows when a problem like this will occur, but if you have an overall security strategy that does not rely entirely on any one piece of software or type of technology, you will be more likely to weather the inevitable storm without serious harm. And the sooner you apply patches and updates from your software vendor’s website or a reputable app store, the more you decrease your risk of being affected by vulnerabilities.