What Is a Zero-Day Exploit?

Software companies such as Microsoft, Adobe and Apple constantly work to fix flaws within their programs, but sometimes they aren't the first to discover vulnerabilities.

Sometimes cybercriminals find these flaws first, and when they do, they may exploit the software vulnerabilities for their own financial gain at the expense of ordinary computer users.

An attack on a software flaw that occurs before the software's developers have had time to develop a patch for the flaw is often known as a zero-day exploit. The term "zero-day" denotes that developers have had zero days to fix the vulnerability.

It can also refer to attacks that occur on the same day (day zero) a vulnerability is disclosed. In fact, some zero-day exploits are the first indication that the associated vulnerability exists at all.

Zero-day exploits are particularly menacing because they can infect your computer network even if you've been perfectly diligent about updating your software. 

What zero-day exploits look like

Zero-day exploits come in all shapes and sizes, but typically serve a singular purpose: to deliver malware to unsuspecting victims. The most dangerous varieties of zero-day exploits facilitate drive-by downloads, in which simply browsing to an exploited Web page or clicking a poisoned Web link can result in a full-fledged malware attack on your system. Such attacks exploit vulnerabilities within a Web browser's software, or within third-party browser plug-ins.

But zero-day attackers have also been known to exploit vulnerabilities within Microsoft Word, PowerPoint and Excel, within various Adobe products such as Reader and Flash Player, and within other programs. Flaws in such software can lead to targeted attacks against companies and government agencies.

By sending spoofed email messages containing infected Word documents, for example, cybercriminals might fool employees into downloading malware packages. These spoofed emails often appear to come from known contacts, making them particularly hard to filter out. 

Criminals aren't the only hackers using zero-day exploits. Stuxnet, the computer worm that sabotaged the Iranian nuclear program in 2010, contained four zero-day exploits never before seen. U.S. and Israeli government agencies are suspected of having created Stuxnet.

The zero-day industry

Instances of zero-day vulnerabilities have increased dramatically over the past decade, mirroring the rapid increase in global Internet use — particularly on mobile devices — and the speed with which software companies churn out new programs.

However, relatively few of these reported vulnerabilities have led to attacks by cybercriminals. A Microsoft survey found that only 1 percent of security incidents in the first half of 2011 were the result of zero-day exploits. 

Why aren't more zero-day security flaws turned into cyberattacks? The reason may be that criminals aren't the only ones out there looking for these flaws. Not only do software companies proactively search for security holes in their products, they also frequently receive reports of security flaws from their users and from security researchers (also known as "white hat" hackers).

Such practices fuel what some technology experts refer to as the zero-day industry — a growing business within the security sector.

In theory, security researchers abide by a set of practices known as "ethical disclosure." In other words, instead of selling information about security flaws to the highest bidder, they offer it up — for free — to software companies.

But not all researchers feel compelled to adhere to this honor system. Some choose to go public with information about security flaws in order to force recalcitrant software companies to issue a fix. Others sell their research to third-party companies — a practice known as "bounty hunting."

Bounty hunting companies, or exploit brokers, serve as middlemen, facilitating monetary transactions between hackers and the software companies or websites that they hack. The broker pays the hacker for information about software flaws, which it in turn sells to the company affected by the flaw.

In recent years, many companies — including Facebook, Microsoft, Yahoo!, Google and PayPal — have also launched bounty programs of their own, which cut out middlemen altogether by compensating friendly hackers for turning over information about potentially damaging security flaws.

Most recently, Facebook and Microsoft have teamed up to sponsor the HackerOne program, which offers hackers up to $5,000 for useful information about zero-day vulnerabilities. Google now also pays for vulnerabilities in open-source software packages that belong to no one company, but help run the Internet.

Many of these companies also sponsor security briefing and hacking conferences — such as Black Hat, DEFCON and Pwn2Own — at which researchers meet to discuss current security strategies and find security flaws in popular software.

While many software companies and popular websites are willing to pay for exclusive rights to information about their own zero-day security holes, there is also a thriving black market in information about these critical flaws.

Exploit brokers often sell software vulnerabilities to shady customers — well-heeled cybercriminal organizations and, just as often, deep-pocketed government intelligence agencies.

While no U.S. government agency has gone on the record as saying that it purchases information about zero-days, it is speculated that defense dollars are already being spent on obtaining valuable zero-day exploits.

Protecting yourself against zero-day attacks

Because of the very nature of zero-day exploits, no network can be 100 percent safe from such vulnerabilities. However, there are measures you can take to prevent the detrimental effects of such an attack.

For individuals, a commonsense approach to computer security is essential. Never click on suspicious links included in emails, instant messages, Facebook or Twitter postings or while browsing the Web. Always use caution when downloading email attachments or online content, even if it appears to come from a trusted source. Never open an email attachment from an unknown source.

Businesses and other organizations can also follow certain security procedures to ensure the safety of their networks against zero-day attacks. Use virtual LANs to protect individual transmissions and implement an intrusion detection system — like a stateful firewall — to deter zero-day attackers.

If your network doesn't use access control, you should consider introducing this security feature to better control which machines have access to your network. Finally, locking down wireless access points and using a modern security scheme, such Wi-Fi Protected Access or WPA2, can also help prevent wireless attacks.

Follow Elizabeth Palermo on Twitter @techEpalermo, Facebook & Google+. Follow Tom's Guide @tomsguide We're also on Facebook & Google+.

TOPICS

Elizabeth is a Live Science associate editor who writes about science and technology. She graduated with a bachelor of arts degree from George Washington University and has also written for Space.com, Everyday Health, Yahoo and Tom's Guide, among others. Elizabeth has traveled throughout the Americas, studying political systems and indigenous cultures and teaching English to students of all ages.