Why is it called a Zero Day Attack?

In the software world, “day zero” is the day the vulnerability is discovered by the vendor and up until that day it is known as a zero day vulnerability. The logic behind this term is that the vendor has 0 days to patch the bug. In most cases, zero day attacks occur when the flaw or security issue is discovered by a sophisticated malicious third party, typically criminal or state-sponsored, and exploited before the software developer has had a chance to discover or fix it.

When technically-oriented users discover an issue with their software – they can take one of two main actions:
– Discretely notify the developer of the bug, allowing the vendor to close the potential security gap. This can be done on a voluntary basis, or in a more rewarding way, via bug bounty programs offered by the software vendor. After the vendor patches the bug, the user who found it will usually post it online to demonstrate his capabilities.
– Post it online immediately (without giving the developer enough time to patch it) for general research or for a less noble reason – to gain publicity. This is usually considered an “immoral” action as it provides an opening for attackers and puts the system at risk.
– Use it for criminal gain, which can result in significant risk and damages to personal users, employees, companies, and even state systems.

How does a Zero Day exploit happen?

Despite the popular Hollywood portrayal of skilled hackers, most of their work involves exploring software to find gaps in security. This can be done by analyzing software codes, reading blogs online, and even reading university publications. Once they find a promising lead, their next step is to determine if it can be exploited – this is a crucial step of the process since not all bugs can be used to actually execute a successful attack. This involves probing the vulnerability with different methods and understanding it.

Once they determine what the vulnerability is, hackers usually develop what is known as an exploit code, a small function that can be included in other seemingly innocuous applications and unleashed at the right time. With this in hand, the attackers can now go out and infiltrate their targets.

A highly successful zero day attack will be one that not only gained its initial target – but one that stayed in the shadows for years before being discovered.

Zero Day Attack Example

A good example of a zero day attack in recent times is the BlueKeep, a critical vulnerability in Microsoft’s Remote Desktop Protocol (RDP). The reason this threat is highly risky is that it can be abused to create a “worm-like” attack that spreads from computer to computer without requiring user interaction. This “worm” nature of the threat has the potential to create serious damage, as previously seen in the infamous WannaCry attack that hit, amongst many others, the NHS in the UK, Nissan Motor, Renault, Telefónica, FedEx, and more.

But beyond the risk that this zero day posed when discovered, is the fact that it is expected to take up to a decade until companies will actually have updated their software with the new patch.