A zero-day is a software vulnerability or security flaw in a computer system that its developers or vendors are unaware of. The term zero-day (also known as 0-day) refers to the fact that, since the developer or vendor is unaware of the vulnerability, they have zero days available to mitigate against it.
A zero-day exploit (or attack) is a cyberattack that takes advantage of a zero-day to compromise a computer system. As with any cyberattack, they can be used to compromise systems, steal data, or execute malicious code without any prior warning or protection in place.
- Why does software have security vulnerabilities?
- What is a zero-day exploit?
- Who uses zero-day exploits?
- How to prevent zero-day exploits
- Notable zero-day exploits
Why does software have security vulnerabilities?
No software is perfect. Even relatively simple apps and programs consist of many thousands of lines of highly complex code, and many popular software suites consist of tens of millions of lines of code.
No developer, no matter how expert and security-focused they are, can guarantee that no mistakes have been made in their code, or can fully predict the security implications of their program’s interactions with the host operating system, with other apps installed locally on the same computer, with backend APIs and other cloud-based infrastructure, and more.
This means all but the simplest software has multiple vulnerabilities and weaknesses that can potentially be abused to comprise the software itself, the system it runs on, or even all systems connected to it over a network.
To address this problem, developers routinely check their code for bugs and other issues that might be a security risk. They then write new code to fix or mitigate against the issues they discover, and release these fixes to the public as security updates or patches.
Unfortunately, developers and other legitimate security researchers aren’t the only people who scour software code with the aim of uncovering vulnerabilities. When a hacker discovers a vulnerability in a program before its developers do, it’s called a zero-day.
What is a zero-day exploit?
A zero-day exploit is malicious code written to leverage a zero-day vulnerability. The export can then be used to perform a cyberattack. They are particularly dangerous because the developer is simply unaware of the vulnerability, and therefore has no opportunity to write a patch or otherwise mitigate against the issue.
This often means that the only defenses against a zero-day exploit are routine security measures such as intrusion detection systems, behavior-based anomaly detection, and network monitoring.
Developers often first become aware of zero-days when they are actually exploited — that is, when they are used to attack a system or organization running the affected software. However, it is entirely possible for zero-days to be repeatedly exploited by many cybercriminals over long periods of time before developers even realize their software is under attack (the Pegasus zero-day discussed later in this article is a food example of this).
Who uses zero-day exploits?
Criminal hackers routinely use zero-day exploits to steal data or implant malware (such as keyloggers or ransomware) on target systems.
Many hackers who research and discover zero-days don’t exploit the zero-days themselves. Instead, they sell them on the dark web, where there is a thriving market for zero-days. This can he highly lucrative for the discoverers of zero-days, while being less risky than performing the actual criminal attacks themselves.
It’s not uncommon for hackers to offer software developers the first chance to buy zero-days for their own software, and some “white hat” hackers will even voluntarily disclose zero-days to developers without asking for compensation.
State-level actors particularly value zero-days that can be exploited to target networks and systems relating to national infrastructure and national security. They often hoard such knowledge as powerful weapons in their cyber warfare arsenals.
Commercial companies sometimes use zero-day exploits to steal information or otherwise gain an edge over their competitors.
It has been largely documented that government agencies such as the United States’ National Security Agency (NSA), and the UK’s GCHQ use zero-days exploits to gain backdoor access to domestic companies. Companies that provide communications or internet access and infrastructure hardware that allow for mass surveillance are particular targets.
How to prevent zero-day exploits
Since zero-day attacks exploit vulnerabilities that are unknown to the developers of the software you use, there’s no reliable way to prevent them. However, there are steps you can take to enhance your personal cybersecurity, reduce the risk of falling victim to such attacks, and to mitigate against the damage these attacks can cause.
1. Keep your software updated
Regularly update your operating system, web browsers, and software applications to ensure you have the latest security patches. Zero-days are often exploited in outdated software, and when a zero-day is discovered and developers patch it, you’ll be protected against it.
2. Use a reputable anti-malware program
Install and maintain a trusted antivirus or anti-malware app on your computer, and keep it up to date. This can help detect and block known malware and suspicious files. Software capable of performing heuristic analysis are particularly useful against zero-days and other unknown threats (such as virus variants in the wild).
3. Use a firewall
Firewalls allow you to monitor and control network traffic as it enters and exits your computer. Enabling your computer’s built-in firewall or using a third-party firewall can help block unauthorized access to your system.
4. Use strong, unique passwords
Create strong, unique passwords for your online accounts and avoid using the same password across multiple sites. A good password manager, such as Proton Pass, can generate and store complex passwords securely, remembering them so you don’t need to.
5. Enable two-factor authentication (2FA)
Whenever possible, enable two-factor authentication for your online accounts. This provides an extra layer of security by requiring a second authentication method, such as a one-time code from a mobile app or a text message. Proton Pass has a built-in two-factor authenticator.
6. Be cautious with email links
Zero-day attacks can often begin with phishing emails. Be skeptical of unsolicited emails and links in emails, especially if they come from unknown sources. Don’t click on suspicious links or download attachments from untrusted senders.
7. Regularly back up your important data
Regularly back up your important data to an external drive or cloud storage. This can protect your files in case of a ransomware attack or other data loss.
8. Regularly review your app permissions
On your mobile devices, review the permissions you give to the apps you install. Ensure your apps only have access to the data and features they truly need.
9. Disable features and services that you don’t need
Any code ruining in your device can be exploited, so features, apps, and services that you don’t use are an unnecessary security risk that are often targeted by hackers. For example, a zero-day in Apple’s iMessage app allowed the Israeli NSO Group to hack into at least one Bahraini activist’s iPhone.
Notable zero-day exploits
The Zero Day Initiative recorded a single vulnerability in 2005. By 2016, this had risen to 700 vulnerabilities, and as of November 2023, the organization recorded over 1,550 zero-day vulnerabilities.
Some of the most infamous zero-day exploits include:
A powerful zero-day exploit developed by the US National Security Agency (NSA) sometime around 2011, EternalBlue exploits a vulnerability in Windows’ Server Message Block (SMB) protocol, allowing attackers to run code on target computers.
The NSA knew about this Windows vulnerability for around five years, and allegedly only warned Microsoft about the exploit once EternalBlue had fallen into the wrong hands. Microsoft released a patch for the vulnerability, but many Windows users don’t update their systems.
Since escaping the NSA, the EternalBlue exploit has been used in many high-profile cyberattacks, notably being used by hackers to spread the notorious WannaCry ransomware in 2016.
In 2010, a self-replicating computer worm caused the gas centrifuge motors at a number of nuclear facilities around the world to self-destruct without triggering the alerts and safeguards that should be in place.
Although never conclusively proved, it is widely speculated that Stuxnet was developed by Israel, working in collaboration with the United States, to impede Iran’s nuclear program at its Natanz nuclear facilities. However, once “in the wild”, Stuxnet infected numerous nuclear facilities around the world.
Yahoo has been victim to a number of high-profile data breaches in recent years, but the first of these, which occurred in August 2013 as a result of a zero-day attack, is notable for its sheer scale.
Now considered the largest known breach of its kind, in 2016 Yahoo! revealed that some three billion of its user accounts containing sensitive information, including passwords and unencrypted security questions and answers, were compromised.
Verizon was in the process of acquiring Yahoo! When the news broke, resulting in about $350 million being wiped from the purchase price. A zero-day exploit in Yahoo!’s code caused the breach.
A spyware tool developed by the Israeli company NSO Group, Pegasus has been used to target journalists, activists, and politicians around the world. Pegasus exploits zero-day vulnerabilities in iOS and some Android devices to gain access to sensitive data, including passwords, contact lists, calendar events, text messages, and live voice calls.
Pegasus has been targeted at numerous politicians and human rights activists around the world, including the Egyptian prime minister, French President Emmanuel Macron and 14 of his ministers, and political opponents of Hungarian Prime Minister Victor Orbán.
Zero-day exploits are often devastating because it’s all but impossible to prevent or effectively mitigate against something you don’t even know exists. However, individuals, companies, and software developers can minimize the risk by respond effectively to security breaches by being vigilant, staying informed, and following best practices