The H.A.C.K.E.R. Project

Imagine your company just launched a new application. Hours upon hours were spent upon the app, and it was finally ready… until, just an hour after the application was released, news of a major security flaw in the app begins circulating across the web. This is an example of a zero-day vulnerability.

Zero-Day Vulnerabilities, Exploits, and Attacks

Before diving into what a zero-day vulnerability is, it is important to know its counterparts: zero-day exploits and zero-day attacks. A zero-day vulnerability, as the name implies, is “an unknown security vulnerability or software flaw that a threat actor can target with malicious code” (Shastri). A zero-day vulnerability is what hackers and other threat actors leverage to create zero-day exploits. A zero-day exploit “takes advantage of an unknown or unaddressed security flaw in computer software, hardware or firmware” (IBM). When these exploits are utilized and put into action, a zero-day attack is performed. An example of a zero-day attack is “when a hacker releases malware to exploit the software vulnerability before the software developer has patched the flaw” (Shastri).

These three terms- zero-day vulnerability, zero-day exploit, and zero-day attack- are often used interchangeably, despite being slightly different from each other. This is because they are directly related and interwoven. Say you are a knight trying to attack a castle and notice there is a crack in the castle wall. The crack in the wall is a zero-day vulnerability, since it presents an opportunity for the attacker. If you devise a plan to use this crack in the wall to breach the castle- say, using a catapult to hit the wall with large rocks in order to break it- then you have devised a zero-day exploit. Finally, putting this plan into motion and breaking the wall is a zero-day attack. The zero-day attack uses a zero-day exploit that takes advantage of a zero-day vulnerability.

More on Zero-Day Vulnerabilities

Generally, a zero-day vulnerability “exists in a version of an operating system, app or device from the moment it’s released, but the software vendor or hardware manufacturer doesn’t know it” (IBM). While it is called “zero-day”, this does not mean that the vulnerability is taken advantage of right away; rather, it is because “the software or device vendor has zero days to fix the flaw because malicious actors can already use it to access vulnerable systems” (IBM). In some cases, a zero-day vulnerability might not be discovered for a long while after a product is released. Fortinet gives further explanation to the history of the term “zero-day”, explaining that it “comes from the world of pirated digital media. A pirated version of a movie, music, or software is referred to as “zero day” when it becomes available at the same time or before the official release. In other words, the pirated version is published zero days after the official version”, much like how the vulnerability can be immediately taken advantage of as soon as it is found (Fortinet).

Who discovers the vulnerability has a major impact on how things proceed. As stated by IBM, in “the best-case scenario, security researchers or software developers find the flaw before threat actors do”, giving them time to begin working on a fix or means of remediation (IBM). Some companies will choose to disclose the vulnerability, giving end-users the chance to fortify themselves against possible attacks, while others “may keep a vulnerability secret until they’ve developed a software update or other fix” (IBM). Worst-case is that attackers find the vulnerability first. This puts the developers at a disadvantage, since it is likely that zero-day exploits are already being developed and zero-day attacks are carried out before they can begin fixing the issue.

Patches

Once a zero-day vulnerability is discovered, developers can put out a patch in order to remedy it. A software patch is “a specific change or set of updates provided by software developers to fix known security vulnerabilities or technical issues”, usually meant as a short-term fix while a more permanent solution is developed (Shastri). Patches might also include other features as well. Due to how zero-day vulnerabilities and exploits are often circulated around the internet when discovered, software vendors are able to “use information from the attacks to pinpoint the flaw they need to fix. So, while zero-day vulnerabilities can be dangerous, hackers can’t typically exploit them for long” (IBM).

How to Protect Against Zero-Day Vulnerabilities

Fortinet states that “being proactive and staying informed on the latest risks in the threat landscape is a vital first step in preventing zero day attacks”. By knowing what attackers are looking for, you can know what to reinforce and defend against while also keeping in mind those things that are slipping under the radar. As noted by Sadowski, “threat actors exploited zero-days in Microsoft, Apple, and Google products most frequently, likely reflecting the popularity of these vendors” (Sadowski). Thus, it is reasonable to assume that the more popular a software or company becomes, the more likely they are to be targeted by zero-day attacks.

Additionally, employing secure programming practices can help to reduce the number of vulnerabilities in a product’s source code. Fortinet recommends using “solutions that scan for vulnerabilities can simulate attacks on software code, review code for errors, and attempt to find new issues that have been introduced in a software update” (Fortinet). These types of software- which can be standalone or built into a development environment- can help to not only eliminate possible vulnerabilities but also help to create cleaner and better working code.

Finally, it is always important to keep your software up to date, both as a producer and as a consumer. On the producer side, “ensuring systems are up to date is crucial to protecting a business from the risk of zero-day attacks” against the business (Fortinet). This can help protect your customers from being harmed by these attacks against your company. Meanwhile, on the consumer side, keeping your apps and software up to date ensures that any security patches or bug fixes are applied and vulnerabilities are remediated.

Resources & Further Reading

Fortinet. “What Is a Zero-Day Exploit?” Fortinet, www.fortinet.com/resources/cyberglossary/zero-day-attack.

IBM. “What Is a Zero-Day Exploit?” Ibm.com, 2 June 2023, www.ibm.com/think/topics/zero-day.

Sadowski, James. “Zero-Day Exploitation Increase Reaches an All-Time High.” Google Cloud Blog, 21 Apr. 2021, cloud.google.com/blog/topics/threat-intelligence/zero-days-exploited-2021/.

Shastri, Venu. “What Is a Zero-Day Exploit? | CrowdStrike.” Crowdstrike.com, 17 Jan. 2025, www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/zero-day-exploit/.