Software providers constantly work to find and fix problems in their programs, but sometimes the bad guys find the flaws first. These unknown, exploitable bugs in software, hardware, or firmware are called zero-day vulnerabilities. They’re usually caused by programming errors or computer or security misconfigurations. And they’re called zero-days because defenders have essentially no time to fix them before a cybercriminal could exploit them.

Ideally, when developers, ethical hackers, or security researchers discover a vulnerability, they work quickly with the software provider to release a patch or update to fix the issue, says Al Pascual, senior vice president of research, and head of fraud and security at Javelin Strategy and Research.


For critical systems, “just patch it” is a paradox
When to disclose a zero-day vulnerability
Bug bounties have bugs of their own
What’s in a bug bounty? Not extortion
Bug bounties break out beyond tech
The dark side of bug bounties

That doesn’t always happen, of course, as Microsoft and more recently Panera Bread have demonstrated. When cybercriminals find a vulnerability, and use it to launch an attack on the hardware, applications, data, or network—all before a patch or update is released—it’s called a zero-day exploit.

“The goal of these [cybercriminals] is to find a way in by reverse-engineering a piece of software to find the vulnerabilities,” Pascual says. “They want to find a way to break the software, or try to get it to do something other than what it was intended to do, whether that’s additional access or executables. It can be super simple or complex.”

In a simple attack, hackers might launch a broad, email-based malware attack that takes advantage of the vulnerability and lures victims to malicious websites to steal log-in credentials. In more sophisticated attacks, hackers might target nation-states to vandalize, cripple, or destroy systems, says Orli Gan, head of threat prevention product management at IT security company Check Point.

In February, for example, South Korea’s Computer Emergency Response Team issued an alert for a new Adobe Flash Player zero-day vulnerability that North Korean hackers were actively exploiting to target Windows users in South Korea. Attackers tricked victims into opening Microsoft Office documents, Web pages, or spam messages that contained malicious code in order to take control of a computer.

More famously, last year, a cyberattack dubbed NotPetya used mock ransomware to wipe out data at Ukrainian banks, energy companies, media organizations, and government agencies. The CIA, noting that the attack displayed characteristics of an advanced persistent threat, later attributed NotPetya to Russian military hackers intent on crippling Ukraine.

Zero-day vulnerabilities are key to APTs, Pascual says. APTs are targeted attacks in which cybercriminals work to surreptitiously gain access to a network and stay undetected for a long time.

“It’s extremely rare that zero-day attacks would be used against an individual, unless you’re a target of a nation-state,” he says. “These typically target organizations and institutions, and are designed to facilitate things like APT.”

Defending against zero-days

Three or four years ago, most zero-day attacks were relatively sophisticated, Gan says. Cybercriminals used well-written software, the latest exploit kits, and advanced evasion techniques. Since then, there’s been what she calls a “parting of the sea.”

On one end of the spectrum are sophisticated attacks; on the other end are more simple ones—poorly coded attacks that rely on elementary techniques. While the former are declining, the latter are increasing, she says.

“More are based on [Microsoft] Office documents or executables that are much easier to block, but still trick enough people to click and become infected. If you think about the motivation of most cybercriminals, it’s about making money,” she says. “With a statistical attack, you need just enough people to get infected with whatever you’re sending them. They’ve perfected this delivery mechanism, so why bother with something sophisticated when you can get away with something simple?”

Defending against the exploitation of zero-day vulnerabilities is nearly impossible because they’re unknown to security researchers and the public. Traditional security tools that businesses use, such as antivirus software, intrusion detection systems, and intrusion prevention systems, are usually ineffective because the exploit hasn’t been encountered before, experts say.

Instead, businesses typically rely on four techniques to detect a zero-day attack, according to a report from The SANS Institute. The techniques are statistical-based, which rely on attack profiles built from historical data; signature-based, which depend on signatures made from known exploits; behavior-based, which use the analysis of the exploit’s interaction with the target; and hybrid-based, which blend the different approaches.

To protect yourself from the security risks associated with zero-day vulnerabilities, experts recommend that you exercise good “security hygiene,” which includes performing regular software and browser updates, which may include patches for known vulnerabilities; using only essential applications to reduce your risk footprint; and practicing safe browsing habits, such as not opening files from unknown sources.