Quick Links

The tech press is constantly writing about new and dangerous "zero-day" exploits. But what exactly is a zero-day exploit, what makes it so dangerous, and -- most importantly -- how can you protect yourself?

Zero-day attacks happen when the bad guys get ahead of the good guys, attacking us with vulnerabilities we never even knew existed. They're what happens when we haven't had time to prepare our defenses.

Software Is Vulnerable

Software isn't perfect. The browser you're reading this in---whether it's Chrome, Firefox, Internet Explorer, or anything else---is guaranteed to have bugs in it. Such a complex piece of software is written by human beings and has problems we just don't know about yet. Many of these bugs aren't very dangerous---maybe they cause a website to malfunction or your browser to crash. However, some bugs are security holes. An attacker that knows about the bug can craft an exploit that uses the bug in the software to gain access to your system.

Of course, some software is more vulnerable than others. For example, Java has had a never-ending stream of vulnerabilities that allow websites using the Java plug-in to escape the Java sandbox and have full access to your machine. Exploits that manage to compromise Google Chrome's sandboxing technology have been much more rare, although even Chrome has had zero-days.

Responsible Disclosure

Sometimes, a vulnerability is discovered by the good guys. Either the developer discovers the vulnerability themselves or "white-hat" hackers discover the vulnerability and disclose it responsibly, perhaps through something like Pwn2Own or Google's Chrome bug bounty program, which reward hackers for discovering vulnerabilities and disclose them responsibly. The developer fixes the bug and releases a patch for it.

Malicious people may later try to exploit the vulnerability after it's been disclosed and patched, but people have had time to prepare.

Some people do not patch their software in a timely fashion, so these attacks can still be dangerous. However, if an attack targets a piece of software using known vulnerability that there's already a patch available for, that's not a "zero-day" attack.

Zero-Day Attacks

Sometimes, a vulnerability is discovered by the bad guys. The people who discover the vulnerability may sell it to other people and organizations looking for exploits (this is big business---this isn't just teenagers in basements trying to mess with you anymore, this is organized crime in action) or use it themselves. The vulnerability may have been known to the developer already, but the developer may not have been able to fix it in time.

Related: Why Are There So Many Zero-Day Security Holes?

In this case, neither the developer nor people using the software have advance warning that their software is vulnerable. People only learn that the software is vulnerable when it's already being attacked,  often by examining the attack and learning what bug it exploits.

This is a zero-day attack---it means that developers have had zero days to deal with the problem before it's already being exploited in the wild. However, the bad guys have known about it for long enough to craft an exploit and start attacking. The software remains vulnerable to attack until a patch is released and applied by users, which may take several days.

How to Protect Yourself

Zero days are scary because we don't have any advance notice of them. We can't prevent zero-day attacks by keeping our software patched. By definition, no patches are available for a zero-day attack.

So what can we do to protect ourselves from zero-day exploits?

  • Avoid Vulnerable Software: We don't know for sure that there will be another zero-day vulnerability in Java in the future, but Java's long history of zero-day attacks means that there likely will be. (In fact, Java is currently vulnerable to several zero-day attacks that have not yet been patched.) Uninstall Java (or disable the plug-in if you need Java installed) and you're less at-risk of zero-day attacks. Adobe's PDF reader and Flash Player have also historically had quite a number of zero-day attacks, although they've improved recently.
  • Reduce your Attack Surface: The less software you have vulnerable to zero-day attacks, the better. This is why it's good to uninstall browser plug-ins that you don't use and avoid having unnecessary server software exposed directly to the Internet. Even if the server software is fully patched, a zero-day attack may eventually happen.
  • Run an Antivirus: Antiviruses can help against zero-day attacks. An attack that tries to install malware on your computer may find the malware installation foiled by the antivirus. An antivirus's heuristics (which detect suspicious-looking activity) may also block a zero-day attack. Antiviruses may then be updated for protection against the zero-day attack sooner than a patch is available for the vulnerable software itself. This is why it's smart to use an antivirus on Windows, no matter how careful you are.
  • Keep Your Software Updated: Updating your software regularly won't protect you against zero-days, but it will ensure you have the fix as soon as possible after it's released. This is also why it's important to reduce your attack surface and get rid of potentially vulnerable software you don't use -- it's less software you need to ensure is updated.

We've explained what a zero-day exploit is, but what is a permanent and unpatched security vulnerability known as? See if you can figure out the answer over at our Geek Trivia section!