If you've got a zero-day vulnerability on your hands, you've got a problem. Here's what it means, and what you can do to avoid falling victim to one of these schemes.
The term "zero-day" is fairly common in the world of cybersecurity. In recent months, top tech companies—from Microsoft and Google to Apple—have had to patch zero-day bugs, but what does that mean? Here, we’ll explain how they work and how to protect yourself.
Why Is It Called a Zero Day?
The term “zero day” refers to a vulnerability that exists in the wild without the software manufacturer’s knowledge, leaving them open to attack. Once they find the problem, they have “zero days” to fix it because they’re already at risk. There are three main ways to think of a zero-day, as security software firm Kaspersky notes:
Zero-day vulnerability: A software weakness that can be exploited and is found by attackers before the manufacturer knows about it.
Zero-day exploit: The method an attacker uses to gain access to the system using that zero-day vulnerability.
Zero-day attack: When bad actors use a zero-day exploit to get into a system to steal data or cause damage.
So the vulnerability is the weakness, the exploit is the method bad actors use to get in, and the attack is when those bad actors use that vulnerability to cause damage. The terms are sometimes used interchangeably, but they’re not quite the same.
How Do Zero-Day Attacks Work?
Even with software developers and manufacturers diligently checking their product for flaws, mistakes happen, and bad actors are dedicated in their pursuit of weaknesses or loopholes they can exploit for their own gain.
Once a cyber attacker finds that vulnerability, they can write a segment of code to take advantage of it. What that code is and does will depend on the type of vulnerability they’ve discovered. Sometimes attackers can gain access to the system just by using a zero-day exploit. If they can’t, they’ll try and trick someone into letting them inside.
Cyber attackers often do this through social engineering — techniques that play on human psychology to trick them into letting their guard down. Phishing scams that send threatening messages to frighten people into taking a desired action are a textbook case of social engineering. A fake email that looks like it was sent from your bank, for example, says your account has been hacked and tells you to “click here to verify your account details.” Social engineering is used in just about any kind of cyberattack, from malware scams to USB attacks, because it works often enough to be useful.
A zero-day vulnerability can exist in the wild for months before being detected. During that time, attackers can get away with stealing or copying data and damaging sensitive systems until the software manufacturer implements a fix.
Malicious hackers often sell information on zero-day vulnerabilities on the dark web for large sums of money. As long as the only people who know about these exploits are attackers, they remain a threat.
Zero-day attacks can disrupt far more than email passwords or even banking data. Targets range from personal passwords and information to vulnerabilities in Internet of Things-connected devices.
How Are Zero-Day Attacks Discovered?
The good news is, it isn’t just malicious hackers looking for these weak points. Software and tech companies will often employ “white hat” or “gray hat” hackers to test their systems against attack and discover vulnerabilities before their products hit the market.