What is a zero-day exploit and why are they dangerous?

A zero-day is a software vulnerability or security flaw in a computer system that its developers or vendors are unaware of. The term zero-day (also known as 0-day) refers to the fact that, since the developer or vendor is unaware of the vulnerability, they have zero days available to mitigate against it. 

A zero-day exploit (or attack) is a cyberattack that takes advantage of a zero-day to compromise a computer system. As with any cyberattack, they can be used to compromise systems, steal data, or execute malicious code without any prior warning or protection in place. 

Why does software have security vulnerabilities?

No software is perfect. Even relatively simple apps and programs consist of many thousands of lines of highly complex code, and many popular software suites consist of tens of millions of lines of code(new window)

No developer, no matter how expert and security-focused they are, can guarantee that no mistakes have been made in their code, or can fully predict the security implications of their program’s interactions with the host operating system, with other apps installed locally on the same computer, with backend APIs(new window) and other cloud-based infrastructure, and more.

This means all but the simplest software has multiple vulnerabilities and weaknesses that can potentially be abused to comprise the software itself, the system it runs on, or even all systems connected to it over a network. 

To address this problem, developers routinely check their code for bugs and other issues that might be a security risk. They then write new code to fix or mitigate against the issues they discover, and release these fixes to the public as security updates or patches.

Unfortunately, developers and other legitimate security researchers aren’t the only people who scour software code with the aim of uncovering vulnerabilities. When a hacker discovers a vulnerability in a program before its developers do, it’s called a zero-day.

What is a zero-day exploit?

A zero-day exploit is malicious code written to leverage a zero-day vulnerability. The export can then be used to perform a cyberattack. They are particularly dangerous because the developer is simply unaware of the vulnerability, and therefore has no opportunity to write a patch or otherwise mitigate against the issue.

This often means that the only defenses against a zero-day exploit are routine security measures such as intrusion detection systems, behavior-based anomaly detection, and network monitoring.

Developers often first become aware of zero-days when they are actually exploited — that is, when they are used to attack a system or organization running the affected software. However, it is entirely possible for zero-days to be repeatedly exploited by many cybercriminals over long periods of time before developers even realize their software is under attack (the Pegasus zero-day discussed later in this article is a food example of this). 

Who uses zero-day exploits?

Cybercriminals

Criminal hackers routinely use zero-day exploits to steal data or implant malware (such as keyloggers or ransomware) on target systems.

Many hackers who research and discover zero-days don’t exploit the zero-days themselves. Instead, they sell them on the dark web, where there is a thriving market for zero-days. This can he highly lucrative for the discoverers of zero-days, while being less risky than performing the actual criminal attacks themselves.

It’s not uncommon for hackers to offer software developers the first chance to buy zero-days for their own software, and some “white hat” hackers will even voluntarily disclose zero-days to developers without asking for compensation.

Cyber warfare

State-level actors particularly value zero-days that can be exploited to target networks and systems relating to national infrastructure and national security. They often hoard such knowledge as powerful weapons in their cyber warfare arsenals. 

Corporate espionage

Commercial companies sometimes use zero-day exploits to steal information or otherwise gain an edge over their competitors.

Government agencies

It has been largely documented that government agencies such as the United States’ National Security Agency(new window) (NSA), and the UK’s GCHQ(new window) use zero-days exploits to gain backdoor access to domestic companies. Companies that provide communications or internet access and infrastructure hardware(new window) that allow for mass surveillance are particular targets.

How to prevent zero-day exploits

Since zero-day attacks exploit vulnerabilities that are unknown to the developers of the software you use, there’s no reliable way to prevent them. However, there are steps you can take to enhance your personal cybersecurity, reduce the risk of falling victim to such attacks, and to mitigate against the damage these attacks can cause.

1. Keep your software updated

Regularly update your operating system, web browsers, and software applications to ensure you have the latest security patches. Zero-days are often exploited in outdated software, and when a zero-day is discovered and developers patch it, you’ll be protected against it. 

2. Use a reputable anti-malware program

Install and maintain a trusted antivirus or anti-malware app on your computer, and keep it up to date. This can help detect and block known malware and suspicious files. Software capable of performing heuristic analysis(new window) are particularly useful against zero-days and other unknown threats (such as virus variants in the wild).

3. Use a firewall

Firewalls allow you to monitor and control network traffic as it enters and exits your computer. Enabling your computer’s built-in firewall or using a third-party firewall can help block unauthorized access to your system.

4. Use strong, unique passwords

Create strong, unique passwords for your online accounts and avoid using the same password across multiple sites. A good password manager, such as Proton Pass(new window), can generate and store complex passwords securely, remembering them so you don’t need to. 

5. Enable two-factor authentication (2FA)

Whenever possible, enable two-factor authentication(new window) for your online accounts. This provides an extra layer of security by requiring a second authentication method, such as a one-time code from a mobile app or a text message. Proton Pass has a built-in two-factor authenticator.

Learn how to use 2FA in Proton Pass(new window)

6. Be cautious with email links

Zero-day attacks can often begin with phishing emails(new window). Be skeptical of unsolicited emails and links in emails, especially if they come from unknown sources. Don’t click on suspicious links or download attachments from untrusted senders. 

7. Regularly back up your important data

Regularly back up your important data to an external drive or cloud storage. This can protect your files in case of a ransomware attack or other data loss.

8. Regularly review your app permissions

On your mobile devices, review the permissions you give to the apps you install. Ensure your apps only have access to the data and features they truly need.

9. Disable features and services that you don’t need

Any code ruining in your device can be exploited, so features, apps, and services that you don’t use are an unnecessary security risk that are often targeted by hackers. For example, a zero-day in Apple’s iMessage app(new window) allowed the Israeli NSO Group to hack into at least one Bahraini activist’s iPhone.

Notable zero-day exploits

The Zero Day Initiative(new window) recorded a single vulnerability in 2005. By 2016, this had risen to 700 vulnerabilities, and as of November 2023, the organization recorded over 1,550 zero-day vulnerabilities(new window)

Some of the most infamous zero-day exploits include:

EternalBlue(new window)

A powerful zero-day exploit developed by the US National Security Agency (NSA) sometime around 2011, EternalBlue exploits a vulnerability in Windows’ Server Message Block (SMB) protocol, allowing attackers to run code on target computers. 

The NSA knew about this Windows vulnerability for around five years, and allegedly only warned Microsoft about the exploit once EternalBlue had fallen into the wrong hands. Microsoft released a patch for the vulnerability, but many Windows users don’t update their systems. 

Since escaping the NSA, the EternalBlue exploit has been used in many high-profile cyberattacks, notably being used by hackers to spread the notorious WannaCry ransomware (new window)in 2016.

Stuxnet(new window)

In 2010, a self-replicating computer worm(new window) caused the gas centrifuge motors at a number of nuclear facilities around the world to self-destruct without triggering the alerts and safeguards that should be in place. 

Although never conclusively proved, it is widely speculated that Stuxnet was developed by Israel, working in collaboration with the United States, to impede Iran’s nuclear program at its Natanz nuclear facilities. However, once “in the wild”, Stuxnet infected numerous nuclear facilities around the world. 

Yahoo! data breach(new window)

Yahoo has been victim to a number of high-profile data breaches in recent years, but the first of these, which occurred in August 2013 as a result of a zero-day attack, is notable for its sheer scale.

Now considered the largest known breach of its kind, in 2016 Yahoo! revealed that some three billion of its user accounts containing sensitive information, including passwords and unencrypted security questions and answers, were compromised.

Verizon was in the process of acquiring Yahoo! When the news broke, resulting in about $350 million being wiped from the purchase price. A zero-day exploit in Yahoo!’s code caused the breach.

Pegasus(new window)

A spyware tool developed by the Israeli company NSO Group, Pegasus has been used to target journalists, activists, and politicians around the world. Pegasus exploits zero-day vulnerabilities in iOS and some Android devices to gain access to sensitive data, including passwords, contact lists, calendar events, text messages, and live voice calls.

Pegasus has been targeted at numerous politicians and human rights activists around the world, including the Egyptian prime minister(new window), French President Emmanuel Macron and 14 of his ministers(new window), and political opponents of Hungarian Prime Minister Victor Orbán(new window).   

Final thoughts

Zero-day exploits are often devastating because it’s all but impossible to prevent or effectively mitigate against something you don’t even know exists. However, individuals, companies, and software developers can minimize the risk by respond effectively to security breaches by being vigilant, staying informed, and following best practices

Related articles

How to fix a 502 error
In this article, we explain what a 502 bad gateway error is and explore possible ways to fix it as a visitor to a website.
Watch Thanksgiving Day football with Proton VPN
Here's how you can live stream this year's Thanksgiving football games using Proton VPN, whether you're watching from home or abroad.
Where to watch Macy's Thanksgiving day parade
Here's how and where to watch Macy's Thanksgiving Day Parade live from anywhere in the world with Proton VPN.
What we've been up to, and what's next
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.
Proton VPN for Windows ARM
We’re pleased to announce a new Proton VPN app with native support for Windows devices that use the ARM chipset.
What is doxing and is doxing illegal
  • Privacy basics
We look at what doxing is, who does it (and why), and at how to protect yourself from doxing .