A zero-day exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw in computer software, hardware or firmware. "Zero day" refers to the fact that the software or device vendor has zero days to fix the flaw because malicious actors can already use it to access vulnerable systems.
The unknown or unaddressed vulnerability is referred to as a zero-day vulnerability or zero-day threat. A zero-day attack is when a malicious actor uses a zero-day exploit to plant malware, steal data or otherwise cause damage to users, organizations or systems.
A similar but separate concept, zero-day malware, is a virus or malware for which the signature is unknown or as yet unavailable, and therefore undetectable by many antivirus software solutions or other signature-based threat detection technologies.
IBM’s X-Force threat intelligence team recorded 7,327 zero-day vulnerabilities since 1988, which amounts to just 3% percent of all recorded security vulnerabilities. However, zero-day vulnerabilities—especially in widely-used operating systems or computing devices—are a severe security risk. They they leave huge numbers of users or entire organizations wide open to cybercrime until the vendor or the cybersecurity community identifies the problem and releases a solution.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.
Register for the Cost of a Data Breach report
A zero-day vulnerability exists in a version of an operating system, app or device from the moment it’s released, but the software vendor or hardware manufacturer doesn’t know it. The vulnerability can lay undetected for days, months or years until someone finds it.
In the best-case scenario, security researchers or software developers find the flaw before threat actors do. However, sometimes hackers get to the vulnerability first.
Regardless of who discovers the flaw, it often becomes public knowledge soon after. Vendors and security professionals typically tell customers so that they can take precautions. Hackers can circulate the threat among themselves, and researchers can learn about it from watching cybercriminal activity. Some vendors may keep a vulnerability secret until they’ve developed a software update or other fix, but this can be a gamble. If hackers find the flaw before vendors patch it, organizations can be caught off guard.
Knowledge of any new zero-day flaw starts a race between security professionals working on a fix, and hackers developing a zero-day exploit that leverages the vulnerability to break into a system. Once hackers develop a workable zero-day exploit, they use it to launch a cyberattack.
Hackers can often develop exploits faster than security teams can develop patches. By one estimate (link resides outside ibm.com), exploits are usually available within 14 days of disclosing a vulnerability. However, once zero-day attacks start, patches often follow in just a few days because vendors use information from the attacks to pinpoint the flaw they need to fix. So, while zero-day vulnerabilities can be dangerous, hackers can’t typically exploit them for long.
Stuxnet was a sophisticated computer worm that exploited four different zero-day software vulnerabilities in Microsoft Windows operating systems. In 2010, Stuxnet was used in a series of attacks on nuclear facilities in Iran. Once the worm breached a nuclear plant’s computer systems, it sent malicious commands to the centrifuges used to enrich uranium. These commands caused the centrifuges to spin so fast that they broke down. In total, Stuxnet damaged 1,000 centrifuges.
Researchers believe that the US and Israeli governments worked together to build Stuxnet, but this is unconfirmed.
Log4Shell was a zero-day vulnerability in Log4J, an open source Java library used for logging error messages. Hackers could use the Log4Shell flaw to remotely control almost any device running Java apps. Because Log4J is used in popular programs like Apple iCloud and Minecraft, hundreds of millions of devices were at risk. MITRE’s Common Vulnerabilities and Exposures (CVE) database gave Log4Shell the highest possible risk score, a 10 out of 10.
The Log4Shell flaw was present since 2013, but hackers didn’t start exploiting it until 2021. The vulnerability was patched shortly after discovery, but security researchers detected more than 100 Log4Shell attacks per minute at the peak (link resides outside ibm.com).
In early 2022, North Korean hackers exploited a zero-day remote code execution vulnerability in Google Chrome web browsers. The hackers used phishing emails to send victims to spoofed sites, which used the Chrome vulnerability to install spyware and remote access malware on victims’ machines. The vulnerability was promptly patched but the hackers covered their tracks well, and researchers don’t know exactly what data was stolen.
Zero-day attacks are some of the most difficult cyberthreats to combat. Hackers can exploit zero-day vulnerabilities before their targets even know about them, allowing threat actors to sneak into networks undetected.
Even if the vulnerability is public knowledge, it may be a while before software providers can release a patch, leaving organizations exposed in the meantime.
Nowadays, hackers exploit zero-day vulnerabilities more frequently. A 2022 Mandiant report found that more zero-day vulnerabilities were exploited in 2021 alone than in all of 2018-2020 combined (link resides outside ibm.com).
The rise in zero-day attacks is likely tied to the fact that company networks are growing more complex. Today, organizations rely on a mix of cloud and on-premises apps, company-owned and employee-owned devices, and Internet of Things (IoT) and operational technology (OT) devices. All these factors expand the size of an organization’s attack surface, and zero-day vulnerabilities could be lurking in any of them.
Because zero-day flaws offer such valuable opportunities to hackers, cybercriminals now trade zero-day vulnerabilities and zero-day exploits on the black market for lavish sums. For example, in 2020, hackers were selling Zoom zero-days for as much as USD 500,000 (link resides outside ibm.com).
Nation-state actors are also known to seek out zero-day flaws. Many choose not disclose the zero-days that they find, preferring instead to craft their own secret zero-day exploits for use against adversaries. Many vendors and security researchers criticize this practice, arguing that it puts unwitting organizations at risk.
Security teams are often at a disadvantage with zero-day vulnerabilities. Because these flaws are unknown and unpatched, organizations can’t account for them in cybersecurity risk management or vulnerability mitigation efforts.
However, companies can take steps to uncover more vulnerabilities and lessen the impact of zero-day attacks.
Patch management: Vendors rush to put out security patches when they learn about zero-days, but many organizations neglect to apply these patches quickly. A formal patch management program can help security teams stay abreast of these critical patches.
Vulnerability management: In-depth vulnerability assessments and penetration tests can help companies find zero-day vulnerabilities in their systems before hackers do.
Attack surface management (ASM): ASM tools allow security teams to identify all assets in their networks and examine them for vulnerabilities. ASM tools assess the network from a hacker’s perspective, focusing on how threat actors are likely to exploit assets to gain access. Because ASM tools help organizations see their networks through an attacker’s eyes, they can help uncover zero-day vulnerabilities.
Threat intelligence feeds: Security researchers are often among the first to flag zero-day vulnerabilities. Organizations that stay updated on external threat intelligence may hear about new zero-day vulnerabilities sooner.
Anomaly-based detection methods: Zero-day malware can evade signature-based detection methods, but tools that use machine learning to spot suspicious activity in real-time can often catch zero-day attacks. Common anomaly-based detection solutions include user and entity behavior analytics (UEBA), extended detection and response (XDR) platforms, endpoint detection and response (EDR) tools, and some intrusion detection and intrusion prevention systems.
Zero trust architecture: If a hacker exploits a zero-day vulnerability to break into a network, zero trust architecture can limit the damage. Zero trust uses continuous authentication and least privilege access to prevent lateral movement and block malicious actors from reaching sensitive resources.
Quickly improve your organization's cyber resilience. Manage the expansion of your digital footprint, uncover shadow IT and get on target with correlated, factual findings that are based on adversarial temptation.
Up to 81% of SOC professionals say that manual investigations slow them down.1 Speed alert investigations with IBM Security QRadar® Suite, a modernized selection of security technologies featuring a unified analyst experience built with AI and automations.
Adopt a vulnerability management program that identifies, prioritizes and manages the remediation of flaws, strengthens your resistance to attacks, shortens remediation times and helps maintain regulatory compliance.
Learn all you need to know about zero-day exploits and the crucial role they play in security. Prepared by Randori, an IBM company.
Cyberattacks are attempts to steal, expose, alter, disable, or destroy another's assets through unauthorized access to computer systems.
Vulnerability management is the continuous discovery and resolution of security flaws in an organization’s IT infrastructure and software.
Footnotes
1 Global Security Operations Center Study Results, conducted by Morning Consult and sponsored by IBM, March 2023