What is a zero-day exploit and why are they dangerous?

A zero-day is a software vulnerability or security flaw in a computer system that its developers or vendors are unaware of. The term zero-day (also known as 0-day) refers to the fact that, since the developer or vendor is unaware of the vulnerability, they have zero days available to mitigate against it. 

A zero-day exploit (or attack) is a cyberattack that takes advantage of a zero-day to compromise a computer system. As with any cyberattack, they can be used to compromise systems, steal data, or execute malicious code without any prior warning or protection in place. 

Why does software have security vulnerabilities?

No software is perfect. Even relatively simple apps and programs consist of many thousands of lines of highly complex code, and many popular software suites consist of tens of millions of lines of code(new window)

No developer, no matter how expert and security-focused they are, can guarantee that no mistakes have been made in their code, or can fully predict the security implications of their program’s interactions with the host operating system, with other apps installed locally on the same computer, with backend APIs(new window) and other cloud-based infrastructure, and more.

This means all but the simplest software has multiple vulnerabilities and weaknesses that can potentially be abused to comprise the software itself, the system it runs on, or even all systems connected to it over a network. 

To address this problem, developers routinely check their code for bugs and other issues that might be a security risk. They then write new code to fix or mitigate against the issues they discover, and release these fixes to the public as security updates or patches.

Unfortunately, developers and other legitimate security researchers aren’t the only people who scour software code with the aim of uncovering vulnerabilities. When a hacker discovers a vulnerability in a program before its developers do, it’s called a zero-day.

What is a zero-day exploit?

A zero-day exploit is malicious code written to leverage a zero-day vulnerability. The export can then be used to perform a cyberattack. They are particularly dangerous because the developer is simply unaware of the vulnerability, and therefore has no opportunity to write a patch or otherwise mitigate against the issue.

This often means that the only defenses against a zero-day exploit are routine security measures such as intrusion detection systems, behavior-based anomaly detection, and network monitoring.

Developers often first become aware of zero-days when they are actually exploited — that is, when they are used to attack a system or organization running the affected software. However, it is entirely possible for zero-days to be repeatedly exploited by many cybercriminals over long periods of time before developers even realize their software is under attack (the Pegasus zero-day discussed later in this article is a food example of this). 

Who uses zero-day exploits?

Cybercriminals

Criminal hackers routinely use zero-day exploits to steal data or implant malware (such as keyloggers or ransomware) on target systems.

Many hackers who research and discover zero-days don’t exploit the zero-days themselves. Instead, they sell them on the dark web, where there is a thriving market for zero-days. This can he highly lucrative for the discoverers of zero-days, while being less risky than performing the actual criminal attacks themselves.

It’s not uncommon for hackers to offer software developers the first chance to buy zero-days for their own software, and some “white hat” hackers will even voluntarily disclose zero-days to developers without asking for compensation.

Cyber warfare

State-level actors particularly value zero-days that can be exploited to target networks and systems relating to national infrastructure and national security. They often hoard such knowledge as powerful weapons in their cyber warfare arsenals. 

Corporate espionage

Commercial companies sometimes use zero-day exploits to steal information or otherwise gain an edge over their competitors.

Government agencies

It has been largely documented that government agencies such as the United States’ National Security Agency(new window) (NSA), and the UK’s GCHQ(new window) use zero-days exploits to gain backdoor access to domestic companies. Companies that provide communications or internet access and infrastructure hardware(new window) that allow for mass surveillance are particular targets.

How to prevent zero-day exploits

Since zero-day attacks exploit vulnerabilities that are unknown to the developers of the software you use, there’s no reliable way to prevent them. However, there are steps you can take to enhance your personal cybersecurity, reduce the risk of falling victim to such attacks, and to mitigate against the damage these attacks can cause.

1. Keep your software updated

Regularly update your operating system, web browsers, and software applications to ensure you have the latest security patches. Zero-days are often exploited in outdated software, and when a zero-day is discovered and developers patch it, you’ll be protected against it. 

2. Use a reputable anti-malware program

Install and maintain a trusted antivirus or anti-malware app on your computer, and keep it up to date. This can help detect and block known malware and suspicious files. Software capable of performing heuristic analysis(new window) are particularly useful against zero-days and other unknown threats (such as virus variants in the wild).

3. Use a firewall

Firewalls allow you to monitor and control network traffic as it enters and exits your computer. Enabling your computer’s built-in firewall or using a third-party firewall can help block unauthorized access to your system.

4. Use strong, unique passwords

Create strong, unique passwords for your online accounts and avoid using the same password across multiple sites. A good password manager, such as Proton Pass(new window), can generate and store complex passwords securely, remembering them so you don’t need to. 

5. Enable two-factor authentication (2FA)

Whenever possible, enable two-factor authentication(new window) for your online accounts. This provides an extra layer of security by requiring a second authentication method, such as a one-time code from a mobile app or a text message. Proton Pass has a built-in two-factor authenticator.

Learn how to use 2FA in Proton Pass(new window)

6. Be cautious with email links

Zero-day attacks can often begin with phishing emails(new window). Be skeptical of unsolicited emails and links in emails, especially if they come from unknown sources. Don’t click on suspicious links or download attachments from untrusted senders. 

7. Regularly back up your important data

Regularly back up your important data to an external drive or cloud storage. This can protect your files in case of a ransomware attack or other data loss.

8. Regularly review your app permissions

On your mobile devices, review the permissions you give to the apps you install. Ensure your apps only have access to the data and features they truly need.

9. Disable features and services that you don’t need

Any code ruining in your device can be exploited, so features, apps, and services that you don’t use are an unnecessary security risk that are often targeted by hackers. For example, a zero-day in Apple’s iMessage app(new window) allowed the Israeli NSO Group to hack into at least one Bahraini activist’s iPhone.

Notable zero-day exploits

The Zero Day Initiative(new window) recorded a single vulnerability in 2005. By 2016, this had risen to 700 vulnerabilities, and as of November 2023, the organization recorded over 1,550 zero-day vulnerabilities(new window)

Some of the most infamous zero-day exploits include:

EternalBlue(new window)

A powerful zero-day exploit developed by the US National Security Agency (NSA) sometime around 2011, EternalBlue exploits a vulnerability in Windows’ Server Message Block (SMB) protocol, allowing attackers to run code on target computers. 

The NSA knew about this Windows vulnerability for around five years, and allegedly only warned Microsoft about the exploit once EternalBlue had fallen into the wrong hands. Microsoft released a patch for the vulnerability, but many Windows users don’t update their systems. 

Since escaping the NSA, the EternalBlue exploit has been used in many high-profile cyberattacks, notably being used by hackers to spread the notorious WannaCry ransomware (new window)in 2016.

Stuxnet(new window)

In 2010, a self-replicating computer worm(new window) caused the gas centrifuge motors at a number of nuclear facilities around the world to self-destruct without triggering the alerts and safeguards that should be in place. 

Although never conclusively proved, it is widely speculated that Stuxnet was developed by Israel, working in collaboration with the United States, to impede Iran’s nuclear program at its Natanz nuclear facilities. However, once “in the wild”, Stuxnet infected numerous nuclear facilities around the world. 

Yahoo! data breach(new window)

Yahoo has been victim to a number of high-profile data breaches in recent years, but the first of these, which occurred in August 2013 as a result of a zero-day attack, is notable for its sheer scale.

Now considered the largest known breach of its kind, in 2016 Yahoo! revealed that some three billion of its user accounts containing sensitive information, including passwords and unencrypted security questions and answers, were compromised.

Verizon was in the process of acquiring Yahoo! When the news broke, resulting in about $350 million being wiped from the purchase price. A zero-day exploit in Yahoo!’s code caused the breach.

Pegasus(new window)

A spyware tool developed by the Israeli company NSO Group, Pegasus has been used to target journalists, activists, and politicians around the world. Pegasus exploits zero-day vulnerabilities in iOS and some Android devices to gain access to sensitive data, including passwords, contact lists, calendar events, text messages, and live voice calls.

Pegasus has been targeted at numerous politicians and human rights activists around the world, including the Egyptian prime minister(new window), French President Emmanuel Macron and 14 of his ministers(new window), and political opponents of Hungarian Prime Minister Victor Orbán(new window).   

Final thoughts

Zero-day exploits are often devastating because it’s all but impossible to prevent or effectively mitigate against something you don’t even know exists. However, individuals, companies, and software developers can minimize the risk by respond effectively to security breaches by being vigilant, staying informed, and following best practices

Protect your privacy and security online
Get Proton VPN free

Related articles

Paris Olympics
The 2024 Summer Olympics in Paris begins this July. While you’ve likely already missed your chance to get a ticket and witness the best athletes from around the world in person, there are plenty of ways to enjoy the games from the comfort of your hom
Where to watch euros
Every four years, the entire continent of Europe turns its eyes to see who will be crowned as the continent’s champion of football (or soccer for the Americans).  This is the 17th edition of the UEFA European Football Championship, in which 24 natio
How to enable location services
Location services refer to a combination of technologies used in devices like smartphones and computers that use data from your device’s GPS, WiFi, mobile (cellular networks), and sometimes even Bluetooth connections to determine and track your geogr
What is AirTag stalking?
In an era of “smart devices” that often double as spy devices, AirTags are tracking tools that are open about their function and can be vital in helping locate lost items (as anyone who has lost their car keys can attest to). However, as a recent cla
How to fix a "Your connection is not safe" error
As you surf the web using your browser, you’ll no doubt encounter websites that your browser will refuse to load, instead showing some variation of an error message, such as Your connection is not private or Warning: Potential Security Risk Ahead. 
Your search history is a window into your inner life. Anyone with access to it knows what your hobbies and interests are, your sexual orientation and preferences, the things that worry you (for example your medical concerns), your political affiliati