Imagine there’s spyware on your phone that gives someone access to your data, photos, and messages. They can even track your location. You didn’t do anything wrong, either—you were careful about what links you clicked on and avoided downloading any malicious apps.
In September 2021, it was revealed that a zero-click zero-day exploit called FORCEDENTRY was being used to install the NSO Group’s Pegasus spyware on Apple devices. The spyware could give someone secret and remote access to the devices, and it was nearly impossible to stop until Apple patched the security holes.
While there are some simple steps that you can take to protect yourself from a variety of cyberattacks—such as keeping software up to date and learning how to detect and avoid social engineering—zero-day exploits are nearly impossible to stop.
Zero-day meaning and definitions
A “zero-day” or “0-day” is a general term for a software vulnerability that the software’s creators don’t know about yet. The name is a reference to how long a company has had to fix the security threat—zero days.
While some zero-day vulnerabilities may be fixed over time, there could still be hundreds “in the wild.” These can leave anyone who’s using the vulnerable software at risk of—and defenseless during—an attack.
There are a few key terms and concepts related to zero-days and cyberattacks:
- Zero-day vulnerability. A flaw or bug that’s been discovered but hasn’t been shared with someone who wants to fix it, such as the software’s vendor or developer.
- Zero-day exploit. A technique that someone can use to take advantage of a zero-day vulnerability.
- Zero-day attack. When a group or person uses a zero-day exploit to attack a system. Sometimes, several zero-days are chained together in a single attack.
- Patch. A software update. Once a zero-day vulnerability is shared with a vendor, there may be a race to fix the vulnerability (i.e., patch it) before it’s used in an attack.
- Window of vulnerability. The time between a zero-day being discovered and when enough systems are patched that it’s no longer useful.
Once a threat actor—a malicious person or group who can impact your safety or security—uses a zero-day exploit and attack, it may become known to the public. At this point, it’s no longer a zero-day. However, there could still be vulnerable systems that aren’t patched.
How are zero-day vulnerabilities discovered?
Zero-day vulnerabilities can take different forms, from bugs in a program’s code to misconfigured security settings. And while zero-days are often a reference to vulnerabilities in software, there can also be zero-day vulnerabilities in hardware and firmware (the software that some hardware uses to run).
Some groups and individuals intentionally set out on a hunt for zero-day vulnerabilities in commonly used software. They may comb through thousands of lines of code, looking for a potential weakness that can be exploited.
Security researchers and “white hat” hackers may do so with the best of intentions. If they discover a zero-day vulnerability, they report it to the appropriate software vendor and keep it secret until the vendor patches the vulnerability. Then, they may share their findings and analysis to help others learn from the flaw. However, if the vendor isn’t addressing the concern, the hackers may expose the zero-day to try and force the vendor to release a patch.
Finding and reporting zero-day vulnerabilities isn’t just a matter of street credit—there can be big bucks involved as well. Many software vendors have bug bounty programs that will pay hackers who discover new security flaws. For example, Apple’s Security Bounty program has payout ranges of $25,000 to $1 million.
There are also hackers who look for zero-day vulnerabilities without the intention of getting them fixed. Some of these may be government employees who want to keep the zero-days secret for their own uses. Others may be “black hat” hackers who sell the vulnerability or exploit to the highest bidder.
How zero-day attack works
Because zero-day refers to a general rather than specific type of vulnerability, zero-day attacks can work in different ways. But here’s a general overview of the timeline of a zero-day attack:
- Someone discovers a zero-day vulnerability. They decide to keep it for themselves or sell it to another person or organization.
- A zero-day exploit is developed. The exploit will use the vulnerability to secretly enter the target system. As with vulnerabilities, exploits may be developed and then used or sold.
- There’s a zero-day attack. Someone uses the zero-day exploit to implement their attack and maliciously get into a device or network. The next step could depend on the attacker’s goal. Perhaps they’re planting malware or locking up the system with ransomware. Or, they may be trying to remain hidden while stealing secrets or trying to gain additional access.
- The vulnerability is discovered and patched. Either as a result of the attack or by chance, the zero-day vulnerability is discovered and shared with the vendor. The vendor then releases a patch to address the vulnerability.
- It’s now an n-day exploit. An openly known vulnerability isn’t a zero-day anymore—now it’s an n-day. It’s been “n” days since the vendor learned about the vulnerability.
While zero-day vulnerabilities may present the most danger, don’t underestimate the potential impact of n-day exploits. Even if a vulnerability has been unveiled, it could take time for the vendor to create and deploy a patch. And, even then, you need to install the latest patches to be protected.
Who is behind zero-day attacks?
Zero-day vulnerabilities can be valuable to a variety of entities. However, they can also be difficult to find and expensive to purchase, which means they’re most often used by knowledgeable and well-financed organizations. Some of these zero-day attackers are:
- Government-sponsored states: Many nation states, including the U.S., Russia, and China, have hacker groups that may uncover and use zero-days. There may also be government-sponsored (but not directly employed) hacking groups. Either group may use zero-day attacks to spy on other countries, citizens in their own country, and to steal secrets from corporations.
- Criminal organizations: Cybercriminal gangs—and “traditional” crime organizations that are now moving into cybercrime—might use zero-days as a means for making money. For example, a ransomware group may infiltrate large corporations and lock up their systems using a zero-day attack. They then demand payment if the company wants to get its data back or if it doesn’t want the ransomware group to release the data publicly.
Other groups or individuals may also discover or have access to zero-days that they can use. For instance, a hacktivist may use a zero-day to attack a corporation or government based on political or social (rather than financial) concerns.
How to prevent zero-day exploits and vulnerabilities
Unfortunately, no one can prevent zero-day vulnerabilities and exploits. They are a reality that we have to live with. Anyone could be affected by a zero day exploit, whether they were targeted or not.
For example: If a cybercriminal plants spyware on a website that exploits a zero-day in certain web browsers, you could be caught by the attack if you visit that website using the vulnerable browser. Similarly, a zero-day attack may be designed to spread and affect anyone that uses the associated browser, application, operating systems, or internet of things (IoT) device.
This is why consumers, organizations, and the makers of software and hardware need to be constantly vigilant about zero day attacks.
While you might not be able to prevent a zero-day attack, there are several things you can do to decrease your chances of becoming a victim:
- Keep your systems up to date. Protect yourself from n-day exploits by making sure your software, devices, and apps are up to date. It’s especially important to regularly update your web browser. Popular browsers typically tell you to restart to use the latest version of the browser—do this for your own protection.
- Beware of phishing attempts. Often, a zero-day exploit needs to be delivered through traditional means, such as an email. Be cautious about clicking on links—learn how to spot a suspicious URL—or opening attachments.
- And social engineering. Watch out for social engineering, when someone tries to gain your trust. They may impersonate a friend, colleague, company representative, or government agent and then try to befriend or threaten. The ultimate goal is to gain access to your devices, steal your credentials, or get you to open an infected website or file.
- Limit how many apps you use. You can expose yourself to fewer potential vulnerabilities by limiting how many programs you have on your devices. If you’re no longer using something, delete or uninstall it.
- Use anti-malware and antivirus software. Having up-to-date anti-malware and antivirus software may also offer some protections. For instance, even if the specific zero-day exploit isn’t known, they may be able to detect suspicious activity and prevent an attack.
Ready for a safer, more private search experience? Neeva is the world’s first private, ad-free search engine, committed to showing you the best results for every search. We will never sell or share your data with anyone, especially advertisers. Try Neeva for yourself, at neeva.com.