What are zero-day exploits?

You will likely have seen headlines warning about zero-day exploits. Nothing is safe, it seems, with the exploits hitting software and hardware alike. Those stories’ only advice: apply a security update as a matter of urgency.

The truth is a little more nuanced than that. Here, we explain both what zero-day exploits are and how can you mitigate against them.

What are zero-day exploits?

A zero-day exploit sits at the centre of a “perfect storm” security trifecta, topped and tailed by a zero-day vulnerability and a zero-day attack. So, let’s start at the beginning.

A vulnerability is simply a bug or defect that could enable someone to perform an otherwise unexpected function. In security terms, this could lead to unauthorised access to a system, for example.

Most vulnerabilities are discovered through in-house testing or external “bug bounty” programs before an attacker can take advantage.

However, a zero-day vulnerability is one that threat actors have found before the vendor and before any security update can be deployed. The vendor literally has zero days to fix the vulnerability.

How are zero-day exploits, well, exploited?

A zero-day exploit is simply the method by which that vulnerability can be leveraged. The exploit methodology will vary but often includes malware to gain access to the target system.

Vulnerability-specific “exploit toolkits” are also often created to expedite the exploit process and sometimes end up being sold within criminal forums for large sums.

Regardless of the methodology, a zero-day attack occurs when an attacker uses that exploit against a third party. But “attacker” is too simplistic. It’s better to describe them as threat actors, because they come in many forms.

Who is at risk from zero-day exploits?

Zero-day exploits have evolved over the last decade when it comes to the “who”, meaning both perpetrator and victim.

The usual suspect threat actor used to be largely state-sponsored attackers, and the victims often fell into the government or large enterprise sectors. Today, while both still form part of the answer, you can add cybercriminals with financial gain in mind, which has broadened the victim pool to include small businesses and individuals.

Government agencies, big businesses and high-profile individuals will likely be subject to targeted zero-day attacks. Then there are non-targeted attacks, which using browser or operating system zero-day exploits look to compromise as many systems as possible.

Why do zero-day exploits matter?

Zero-day exploits can go undetected for long periods, sometimes years, meaning data breaches employing them can also go undetected, with obvious financial and privacy implications.

There’s also a thriving grey market in zero-day exploits, with government agencies purchasing them for surveillance operations. Sometimes with a seven-figure price tag.

How can you protect yourself and your business against zero-day exploits?

By their very nature, zero-day exploits can’t immediately be fixed by applying security updates. However, security updates, or patches, should be deployed as soon as they are available.

Many of the most significant cyberattacks of recent times have been made possible by attackers exploiting zero-day vulnerabilities that had long since had patches released but had not yet been applied to the impacted system.

Apart from updating as soon as possible after security patches become available, there are active measures that can mitigate the risk. For example, endpoint security protections can help consumers and businesses prevent some of the mechanisms used to exploit zero-day vulnerabilities.

User education, especially when it comes to social engineering techniques often employed to execute zero-day exploits, can also help.

Patch management, however, remains the recommended reactive mitigation methodology.

Summary: zero-day exploits

  • A zero-day exploit uses a security weakness unknown to the vendor or user. 
  • Everyone from individuals to big businesses and government agencies is at risk. 
  • Regular patching with security updates remains the best (reactive) mitigation. 
  • Endpoint security measures and user education can also help proactively. 
Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.