Zero days explained: How unknown vulnerabilities become gateways for attackers

You can't patch these holes—but you can still protect yourself

zeroday software bug skull and crossbones security flaw exploited danger vulnerabilities by gwengoa
Gwengoat / Getty Images

Zero day definition

A zero day is a security flaw for which the vendor of the flawed system has yet to make a patch available to affected users. The name ultimately derives from the world of digital content piracy: if pirates were able to distribute a bootleg copy of a movie or album on the same day it went on sale legitimately (or maybe even before), it was dubbed a "zero day."

Borrowed into the world of cybersecurity, the name evokes a scenario where an attacker has gotten the jump on a software vendor, implementing attacks that exploit the flaw before the good guys of infosec are able to respond. Once a zero day attack technique is circulating out there in the criminal ecosystem—often sold by their discoverers for big bucks—the clock is ticking for vendors to create and distribute a patch that plugs the hole.

Zero day vulnerability vs exploit vs attack

There are three words — vulnerability, exploit, and attack — that you often see associated with zero days, and understanding the distinction will help you get a grasp on the zero day lifecycle.

A zero day vulnerability is a software or hardware flaw that has been discovered and for which no patch exists. The discovery part is key to this—there are no doubt any number of flaws out there that literally nobody knows about, which raises some "What if a tree fell in the forest but nobody heard it?"-style philosophical questions. But the question of who knows about these flaws is crucial to how security incidents play out. White hat security researchers who discover a flaw may contact the vendor in confidence so that a patch can be developed before the flaw's existence is widely known. Some malicious hackers or state-sponsored hacking groups, meanwhile, may want to keep knowledge of the vulnerability secret so that the vendor remains in the dark and the hole remains open.

At any rate, a vulnerability by itself is a tempting target, but nothing more. In order to use that vulnerability to gain access to a system or its data, an attacker must craft a zero day exploit—a penetration technique or piece of malware that takes advantage of the weakness. While some attackers design these exploits for their own use, others sell them to the highest bidder rather than get their hands dirty directly.

Once armed with an exploit, a malicious hacker can now carry out a zero day attack. In other words, a vulnerability only represents a potential avenue of attack, and an exploit is a tool for performing that attack; it's the attack itself that's truly dangerous. This can be a point of contention within the security research community, where vulnerabilities are often uncovered—and occasionally publicized—with the intent of raising awareness and getting them patched more quickly. However, vendors whose vulnerabilities are exposed sometimes treat that exposure as tantamount to an attack itself.

Why are zero day exploits dangerous?

Because zero day exploits represent a means to take advantage of a vulnerability that has yet to be patched, they are a sort of "ultimate weapon" for a cyberattack. While almost innumerable systems around the world are breached every year, the sad truth is that most of those breaches make use of holes that are known to security pros and for which fixes exist; the attacks succeed in part due to poor security hygiene on the part of the victims, and organizations that are on top of their security situation—which, at least in theory, should include truly high value targets like financial institutions and government agencies—will have applied the needed patches to prevent those sorts of breaches.

But a zero day vulnerability, by definition, cannot be patched. If the vulnerability hasn't been widely publicized, potential victims may not be paying to attention to the vulnerable system or software and so could miss signals of suspicious activity. The advantage this gives to attackers means that they may try to keep knowledge of the vulnerability relatively secret and use zero day exploits only against high value targets, since the secret won't last forever.

It's worth reiterating that the category of "attackers" here includes not just cybercriminals but state-sponsored groups as well. Both Chinese and U.S. intelligence agencies are known to collect information on zero day vulnerabilities that they can use for the purposes of espionage or cybersabotage. One particularly famous instance of this was a vulnerability discovered in the SMB protocol in Microsoft Windows by the U.S. National Security Agency; the NSA crafted the EternalBlue exploit code to take advantage of this, which was eventually stolen by malicious hackers who used it to create the WannaCry ransomware worm.

When affected organizations do learn about a zero day vulnerability, they may find themselves in a quandary, especially if the vulnerability is in an operating system or other widely used piece of software: they must either accept the risk of attack or shut down crucial aspects of their operations.

Defense against zero day attacks

While zero day vulnerabilities and attacks are thus extremely serious matters, that doesn't mean that mitigating against them is impossible. Ways to fight against such attacks can be grouped into two broad categories: what individual organizations and their IT departments can do to protect their own system, and what the industry and security community as a whole can do to make the overall environment safer.

Let's start by discussing what you and your organization can do to protect yourself. Hopefully, you're already practicing good security hygiene; the good news is that even if there's no patch available for a specific zero day vulnerability, tight security practices can still reduce your chance of being seriously compromised. The Cybriant blog breaks it down into these steps:

  • Practice defense in depth. Remember, many breaches are the result of a chain of attacks exploiting multiple vulnerabilities. Keeping your patches up to date and your staff aware of best practices can break that chain. Your datacenter servers may be afflicted with a zero day vulnerability, for instance, but if an attacker can't breach your up-to-date firewall or convince your users to download a trojan attached to a phishing email, they won't be able to deliver their exploit to that vulnerable system.
  • Keep an eye out for intrusions. Because you might not know the form a zero day attack will take, you need to keep an eye out for suspicious activity of all kinds. Even if an attacker enters your systems through a vulnerability unknown to you, they'll leave telltale signs as they begin moving across your network and possibly exfiltrating information. Intrusion detection and prevention systems are designed to spot this kind of activity, and advanced antivirus may similarly peg code as malware based on its behavior, even if it doesn't match any existing signatures.
  • Lock down your networks. Any device or server in your company could theoretically be harboring a zero day vulnerability, but it's not very likely that all of them do. A network infrastructure that makes it difficult for attackers to move from computer to computer and easy to isolate compromised systems can help limit the damage an attack can do. In particular, you'll want to implement role-based access controls to ensure that infiltrators can't get to your crown jewels easily.
  • Be sure to back up. Despite your best efforts, it's possible that a zero day attack will be able to knock some of your systems offline, or damage or erase your data. Frequent backups will ensure that you can bounce back from such worst-case scenarios quickly.

But fighting off zero day attacks isn't something that you need to do on your own. In fact, the broader security ecosystem—which consists of everyone from independent white-hat hacker researchers to security teams at big software and hardware vendors—has an interest in uncovering and fixing zero day vulnerabilities before malicious hackers can exploit them.

It's true that individual actors within this ecosystem sometimes butt heads, as we've noted. If an independent security researcher contacts a vendor with information about a vulnerability, the vendor might see them as a threat rather than a help, especially if the researcher is unknown to the vendor's security team. On the flipside, researchers may grow frustrated if a vendor drags its feet on patching a hole they've been informed about, and will thus release information about the zero day vulnerability before a patch is ready for it, in order to light a fire under the vendor's feet.

Efforts have been made to help these various actors work together better, collaborating and sharing information in a responsible way rather than pointing fingers at one another. One important way this can be achieved is through bounty programs like Trend Micro's Zero Day Initiative, which pay cash rewards to security researchers who report security flaws in a responsible way. While these programs probably can't match the amounts criminal cartels will shell out for zero day exploits, they provide an incentive to keep researchers on the straight and narrow, as well as an institutional structure that mediates between white hat hackers and vendors and keeps lines of communications open on progress towards patches.

One thing vendors and researchers do generally agree on is that state-sponsored groups that keep information on zero day vulnerabilities to themselves for espionage purposes do not help the cause of security. In the wake of the revelations about the NSA and the EternalBlue exploit, Microsoft put out a pointed statement that called for an end to governments "stockpiling" vulnerabilities and for better information sharing.

Zero day attack examples

We've already discussed EternalBlue, an instance of the U.S. government keeping a zero day exploit secret for quite some time. Strictly speaking, though, the wave of attacks that began with WannaCry weren't zero day attacks, because Microsoft did release a patch for its SMB vulnerability not long before they began, though many systems remained vulnerable.

The march of zero day vulnerabilities and attacks is relentless. Here are a few of the most prominent in late 2020 and early 2021:

Copyright © 2021 IDG Communications, Inc.

8 pitfalls that undermine security program success