Zero-day (computing)

Last updated

A zero-day (also known as 0-day) is a computer-software vulnerability unknown to those who should be interested in its mitigation (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. [1] An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.


The term "zero-day" originally referred to the number of days since a new piece of software was released to the public, so "zero-day software" was obtained by hacking into a developer's computer before release. Eventually the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them. [2] [3] [4] Once the vendor learns of the vulnerability, they will usually create patches or advise workarounds to mitigate it.

The more recently that the vendor has become aware of the vulnerability, the more likely it is that no fix or mitigation has been developed. Once a fix is developed, the chance of the exploit succeeding decreases as more users apply the fix over time. For zero-day exploits, unless the vulnerability is inadvertently fixed, such as by an unrelated update that happens to fix the vulnerability, the probability that a user has applied a vendor-supplied patch that fixes the problem is zero, so the exploit would remain available. Zero-day attacks are a severe threat. [5]

Attack vectors

Malware writers can exploit zero-day vulnerabilities through several different attack vectors. Sometimes, when users visit rogue websites, malicious code on the site can exploit vulnerabilities in Web browsers. Web browsers are a particular target for criminals because of their widespread distribution and usage. Cybercriminals, as well as international vendors of spyware such as Israel’s NSO Group, [6] can also send malicious e-mail attachments via SMTP, which exploit vulnerabilities in the application opening the attachment. [7] Exploits that take advantage of common file types are numerous and frequent, as evidenced by their increasing appearances in databases like US-CERT. Criminals can engineer malware to take advantage of these file type exploits to compromise attacked systems or steal confidential data. [8]

Window of vulnerability

The time from when a software exploit first becomes active to the time when the number of vulnerable systems shrinks to insignificance is known as the window of vulnerability. [9] The timeline for each software vulnerability is defined by the following main events:

Thus the formula for the length of the window of vulnerability is: t2 − t1b.

In this formulation, it is always true that t0t1a, and t0t1b. Note that t0 is not the same as day zero. For example, if a hacker is the first to discover (at t0) the vulnerability, the vendor might not learn of it until much later (on day zero).

For normal vulnerabilities, t1b > t1a. This implies that the software vendor was aware of the vulnerability and had time to publish a security patch (t1a) before any hacker could craft a workable exploit (t1b). For zero-day exploits, t1bt1a, such that the exploit becomes active before a patch is made available.

By not disclosing known vulnerabilities, a software vendor hopes to reach t2 before t1b is reached, thus avoiding any exploits. However, the vendor has no guarantees that hackers will not find vulnerabilities on their own. Furthermore, hackers can analyze the security patches themselves, and thereby discover the underlying vulnerabilities and automatically generate working exploits. [10] These exploits can be used effectively up until time t2.

In practice, the length of the window of vulnerability varies between systems, vendors, and individual vulnerabilities. It is often measured in days, with one report from 2006 estimating the average as 28 days. [11]


Zero-day protection is the ability to provide protection against zero-day exploits. Since zero-day attacks are generally unknown to the public, it is often difficult to defend against them. Zero-day attacks are often effective against "secure" networks and can remain undetected even after they are launched. Thus, users of so-called secure systems must also exercise common sense and practice safe computing habits. [12]

Many techniques exist to limit the effectiveness of zero-day memory corruption vulnerabilities such as buffer overflows. These protection mechanisms exist in contemporary operating systems such as macOS, Windows Vista and beyond (see also: Security and safety features new to Windows Vista), Solaris, Linux, Unix, and Unix-like environments; Windows XP Service Pack 2 includes limited protection against generic memory corruption vulnerabilities [13] and previous versions include even less. Desktop and server protection software also exist to mitigate zero-day buffer overflow vulnerabilities. Typically, these technologies involve heuristic termination analysis in order to stop attacks before they cause any harm. [14]

It has been suggested that a solution of this kind may be out of reach because it is algorithmically impossible in the general case to analyze any arbitrary code to determine if it is malicious, as such an analysis reduces to the halting problem over a linear bounded automaton, which is unsolvable. It is, however, unnecessary to address the general case (that is, to sort all programs into the categories of malicious or non-malicious) under most circumstances in order to eliminate a wide range of malicious behaviors. It suffices to recognize the safety of a limited set of programs (e.g., those that can access or modify only a given subset of machine resources) while rejecting both some safe and all unsafe programs. This does require the integrity of those safe programs to be maintained, which may prove difficult in the face of a kernel-level exploit.[ citation needed ]

The Zeroday Emergency Response Team (ZERT) was a group of software engineers who worked to release non-vendor patches for zero-day exploits.


Zero-day worms take advantage of a surprise attack while they are still unknown to computer security professionals. Recent history shows an increasing rate of worm propagation. Well designed worms can spread very fast with devastating consequences to the Internet and other systems.[ citation needed ]


Differing ideologies exist relating to the collection and use of zero-day vulnerability information. Many computer security vendors perform research on zero-day vulnerabilities in order to better understand the nature of vulnerabilities and their exploitation by individuals, computer worms and viruses. Alternatively, some vendors purchase vulnerabilities to augment their research capacity.[ clarification needed ] An example of such a program is TippingPoint's Zero Day Initiative. While selling and buying these vulnerabilities is not technically illegal in most parts of the world, there is a lot of controversy over the method of disclosure. A 2006 German decision to include Article 6 of the Convention on Cybercrime and the EU Framework Decision on Attacks against Information Systems may make selling or even manufacturing vulnerabilities illegal.[ citation needed ]

Most formal programs follow some form of Rain Forest Puppy's disclosure guidelines or the more recent OIS Guidelines for Security Vulnerability Reporting and Response.[ citation needed ] In general, these rules forbid the public disclosure of vulnerabilities without notification to the vendor and adequate time to produce a patch.


A zero-day virus (also known as zero-day malware or next-generation malware) is a previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available. [15]

Traditionally, antivirus software relied upon signatures to identify malware. A virus signature is a unique pattern or code that can be used to detect and identify specific viruses. The antivirus scans file signatures and compares them to a database of known malicious codes. If they match, the file is flagged and treated as a threat. The major limitation of signature-based detection is that it is only capable of flagging already known malware, making it useless against zero-day attacks. [16] Most modern antivirus software still uses signatures but also carry out other types of analysis.[ citation needed ]

Code analysis

In code analysis, the machine code of the file is analysed to see if there is anything that looks suspicious. Typically, malware has characteristic behaviour; code analysis attempts to detect if this is present in the code.

Although useful, code analysis has significant limitations. It is not always easy to determine what a section of code is intended to do, particularly if it is very complex and has been deliberately written with the intention of defeating analysis. Another limitation of code analysis is the time and resources available. In the competitive world of antivirus software, there is always a balance between the effectiveness of analysis and the time delay involved.

One approach to overcome the limitations of code analysis is for the antivirus software to run suspect sections of code in a safe sandbox and observe their behavior. This can be orders of magnitude faster than analyzing the same code, but must resist (and detect) attempts by the code to detect the sandbox.

Generic signatures

Generic signatures are signatures that are specific to certain behaviour rather than a specific item of malware. Most new malware is not totally novel, but is a variation on earlier malware, or contains code from one or more earlier examples of malware. Thus, the results of previous analysis can be used against new malware.

Competitiveness in the antivirus software industry

It is generally accepted in the antivirus industry that most vendors' signature-based protection is identically effective. If a signature is available for an item of malware, then every product (unless dysfunctional) should detect it. However, some vendors are significantly faster than others at becoming aware of new viruses and/or updating their customers' signature databases to detect them. [17]

There is a wide range of effectiveness in terms of zero-day virus protection. The German computer magazine c't found that detection rates for zero-day viruses varied from 20% to 68%. [18] It is primarily in the area of zero-day virus performance that manufacturers now compete.

U.S. government involvement

NSA's use of zero-day exploits (2017)

In mid-April 2017 the hackers known as The Shadow Brokers (TSB), who are allegedly linked to the Russian government, [19] [20] released files from the NSA (initially just regarded as alleged to be from the NSA, later confirmed through internal details and by American whistleblower Edward Snowden) [21] which include a series of 'zero-day exploits' targeting Microsoft Windows software and a tool to penetrate the Society for Worldwide Interbank Financial Telecommunication (SWIFT)'s service provider. [22] [23] [24] Ars Technica had reported Shadow Brokers' hacking claims in mid-January 2017, [25] and in April the Shadow Brokers posted the exploits as proof. [25]

Vulnerabilities Equities Process

The Vulnerabilities Equities Process, first revealed publicly in 2016, is a process used by the U.S. federal government to determine on a case-by-case basis how it should treat zero-day computer security vulnerabilities: whether to disclose them to the public to help improve general computer security or to keep them secret for offensive use against the government's adversaries. [26] The process has been criticized for a number of deficiencies, including restriction by non-disclosure agreements, lack of risk ratings, special treatment for the NSA, and less than whole-hearted commitment to disclosure as the default option. [27]

See also

Related Research Articles

Computer worm Standalone malware computer program that replicates itself in order to spread to other computers

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on the law of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

Malware A portmanteau for malicious software

Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and scareware.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Antivirus software Computer software to defend against malicious computer viruses

Antivirus software, or anti-virus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

Defensive computing is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potentially problematic situations prior to their occurrence, despite any adverse conditions of a computer system or any mistakes made by other users. This can be achieved through adherence to a variety of general guidelines, as well as the practice of specific computing techniques.

In computer security, responsible disclosure, is a vulnerability disclosure model in which a vulnerability or an issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched or mended. This period distinguishes the model from full disclosure.

Kernel Patch Protection

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1.

Kaspersky Anti-Virus

Kaspersky Anti-Virus is a proprietary antivirus program developed by Kaspersky Lab. It is designed to protect users from malware and is primarily designed for computers running Microsoft Windows and macOS, although a version for Linux is available for business consumers.

Norton AntiBot, developed by Symantec, monitored applications for damaging behavior. The application was designed to prevent computers from being hijacked and controlled by hackers. According to Symantec, over 6 million computers have been hijacked, and the majority of users are unaware of their computers being hacked.

Symantec Endpoint Protection Computer security software

Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers. It has the largest market-share of any product for endpoint security.

Computer virus Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus.

Malwarebytes is an anti-malware software for Microsoft Windows, macOS, Chrome OS, Android, and iOS that finds and removes malware. Made by Malwarebytes Corporation, it was first released in January 2006. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash-memory scanner.

Malwarebytes Internet security company

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia and Cork, Ireland.

Kaspersky Lab Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Avira Operations GmbH & Co. KG is a German multinational computer security software company mainly known for their antivirus software Avira Free Security.

Duqu is a collection of computer malware discovered on 1 September 2011, thought to be related to the Stuxnet worm and to have been created by Unit 8200. The Laboratory of Cryptography and System Security of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.

Vault 7

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers, and the operating systems of most smartphones, as well as other operating systems such as Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The general public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.


  1. Compare: "What is a Zero-Day Vulnerability?". pctools. Symantec. Archived from the original on 2017-07-04. Retrieved 2016-01-20. A zero day vulnerability refers to an exploitable bug in software that is unknown to the vendor. This security hole may be exploited by crackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.
  2. Kim Zetter (Nov 11, 2014). "Hacker Lexicon: What Is a Zero Day?". Wired .
  3. Mark Maunder (Jun 16, 2014). "Where the term "Zero Day" comes from". Archived from the original on January 31, 2018.
  4. "Flash Vulnerabilities Causing Problems". ESET. Archived from the original on March 4, 2016. Retrieved Mar 4, 2016.
  5. The Man Who Found Stuxnet – Sergey Ulasen in the Spotlight published on November 2, 2011
  6. Ahmed, Azam; Perlroth, Nicole (19 June 2017). "Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families". The New York Times. Archived from the original on 2017-12-29. Retrieved 19 May 2019.
  7. "SANS sees upsurge in zero-day Web-based attacks". Computerworld. Archived from the original on December 22, 2008.
  8. "E-mail Residual Risk Assessment" (PDF). Avinti, Inc. p. 2.
  9. Johansen, Håvard; Johansen, Dag; Renesse, Robbert van (2007-05-14). Venter, Hein; Eloff, Mariki; Labuschagne, Les; Eloff, Jan; Solms, Rossouw von (eds.). New Approaches for Security, Privacy and Trust in Complex Environments . IFIP International Federation for Information Processing. Springer US. pp.  373–384. doi:10.1007/978-0-387-72367-9_32. ISBN   9780387723662.
  10. Halvar, Flake (2016-10-25). "Structural Comparison of Executable Objects". Lecture Notes in Informatics: 46. doi:10.17877/de290r-2007.
  11. Internet Security Threat Report. 10. Symantec Corp. September 2006. p. 12.
  12. "What is a Zero-Day Exploit? - An introduction to zero-day software exploits and tips on avoiding them at home".
  13. "Changes to Functionality in Microsoft Windows XP Service Pack 2".
  14. "Mitigating XML Injection 0-Day Attacks through Strategy-Based Detection Systems" (PDF). Retrieved 29 December 2013.
  15. "Cyberhawk – zero day threat detection review". Kickstartnews. Retrieved 29 December 2013.
  16. "What Are Zero-Day Attacks? | Safety Detective". Safety Detective. 2018-08-30. Retrieved 2018-11-22.
  17. Robert Westervelt (April 2011). "Antivirus vendors go beyond signature-based antivirus" . Retrieved 7 January 2019.
  18. Goodin, Dan (21 December 2008). "Anti-virus protection gets worse". The Channel. Retrieved 29 December 2013.
  19. "Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant". Twitter . August 16, 2016. Retrieved August 22, 2016.
  20. Price, Rob. "Edward Snowden: Russia might have leaked ni9G3r alleged NSA cyberweapons as a 'warning'". Business Insider . Retrieved August 22, 2016.
  21. Sam Biddle (August 19, 2016). "The NSA Leak is Real, Snowden Documents Confirm". The Intercept . Retrieved April 15, 2017.
  22. Henry Farrell (April 15, 2017), "Hackers have just dumped a treasure trove of NSA data. Here's what it means.", The Washington Post , retrieved April 15, 2017
  23. Baldwin, Clare (15 April 2017). "Hackers release files indicating NSA monitored global bank transfers". Reuters. Retrieved April 15, 2017.
  24. Lawler, Richard. "Shadow Brokers release also suggests NSA spied on bank transactions". Engadget . Retrieved April 15, 2017.
  25. 1 2 Dan Goodin (2017-01-13). "NSA-leaking Shadow Brokers lob Molotov cocktail before exiting world stage". Ars Technica . Retrieved January 14, 2017.
  26. Newman, Lily Hay (2017-11-15). "Feds Explain Their Software Bug Stash—But Don't Erase Concerns". WIRED. Retrieved 2017-11-16.
  27. McCarthy, Kieren (15 November 2017). "The four problems with the US government's latest rulebook on security bug disclosures". The Register. Retrieved 2017-11-16.

Further reading

Examples of zero-day attacks

(Chronological order)