Zero day actually refers to two things—a zero-day vulnerability or a zero-day exploit.
Zero-day vulnerability refers to a security hole in software—such as browser software or operating system software—that is yet unknown to the software maker or to antivirus vendors. This means the vulnerability is also not yet publicly known, though it may already be known by attackers who are quietly exploiting it. Because zero day vulnerabilities are unknown to software vendors and to antivirus firms, there is no patch available yet to fix the hole and generally no antivirus signatures to detect the exploit, though sometimes antivirus scanners can still detect a zero day using heuristics (behavior-tracking algorithms that spot suspicious or malicious behavior).
Zero-day exploit refers to code that attackers use to take advantage of a zero-day vulnerability. They use the exploit code to slip through the hole in the software and plant a virus, Trojan horse or other malware onto a computer or device. It’s similar to a thief slipping through a broken or unlocked window to get into a house.
The term “zero-day” refers to the number of days that the software vendor has known about the hole. The term apparently originated in the days of digital bulletin boards, or BBSs, when it referred to the number of days since a new software program had been released to the public. Zero day software was unreleased software and was highly coveted by hackers who wanted to be the first to obtain it.
Zero day vulnerabilities and exploit codes are extremely valuable and are used not only by criminal hackers but also by nation-state spies and cyber warriors, like those working for the NSA and the U.S. Cyber Command.
Zero day vulnerabilities used to be extremely rare. Out of more than a million pieces of malware security firms discovered and processed each month, only about one or two were zero-day exploit code. These days, however, more zero days are being used and discovered. That’s in part due to the emergence of a large market for buying and selling zero-day vulnerabilities and exploits, driven largely by the demand from government intelligence agencies.
The zero-day market has three parts. These include the black underground market where criminal hackers trade in exploit code and vulnerability information to break into systems and steal passwords and credit card numbers; the white market, which encompasses the bug bounty programs where researchers and hackers disclose vulnerability information to vendors, in exchange for money, so the holes can be fixed—this market includes security companies that purchase zero-day exploits to use in their penetration-testing products to determine if a customer’s system is vulnerable to attack; and the “gray” market, where researchers and companies, some of them military defense contractors, sell zero-day exploits and vulnerability information to militaries, intelligence agencies and law enforcement to use for surveillance and offensive computer operations.
Some of the most famous attacks that used zero-day exploits are:
Stuxnet—a virus/worm that targeted computers in Iran’s uranium enrichment plant at Natanz and used five zero-day exploits to spread and gain privileged access on systems. Though one of the vulnerabilities was patched by Microsoft before the attackers could unleash their code, so technically, at the time Stuxnet was discovered, it was using only four zero-days.
Aurora—in 2010 hackers believed to be from China broke into Google, Adobe, and more than a dozen other companies using a zero-day vulnerability found in several versions of Microsoft’s Internet Explorer browser software. The attackers were targeting, at least in part, Google’s source code—possibly to study it and discover additional zero-day vulnerabilities for future use. The group behind those attacks is still active and has been caught using at least eight other zero-day exploits since then.
RSA hack—attackers, believed to be the same that targeted Google, used a zero-day exploit in Adobe’s Flash player in a spear-phishing attack against employees working for the security firm. The intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products.
The price of zero-day vulnerabilities can vary greatly—anywhere from $5,000 to several hundred thousand dollars—depending on a number of factors. A vulnerability that exists in multiple versions of the Windows operating system will be much more valuable than one that exists in only a single version of the software. But one that targets the Apple iOS, which is more difficult to crack than other phones, can be even more valuable. Exploits that bypass built-in security protections—for example sandboxes built into browsers to keep malware from breaking out of the browser and affecting a computer’s operating system—will also bring more than an exploit targeting a standard browser hole.
Controversy over the U.S. government’s use of zero days has been growing since Stuxnet was discovered in 2010 and has increased in the wake of the Edward Snowden revelations about the government’s hacking activities. Earlier this year, the White House announced a new policy indicating that it will disclose zero-day vulnerabilities that the National Security Agency discovers in software so that they can be patched, but any flaws that have “a clear national security or law enforcement” can still be kept secret to be exploited.
Hacker Lexicon is WIRED’s explainer series that seeks to de-mystify the jargon of information security, surveillance and privacy.