Zero Day Attack

DEFINITION of 'Zero Day Attack'

Zero Day is an attack that exploits a potentially serious software security weakness (zero day attack or zero day exploit) that the vendor or developer may be unaware of (zero day vulnerability).

The software developer must rush to resolve the weakness as soon as it is discovered in order to limit the threat to software users. The solution is called a software patch. Zero-day attacks can also be used to attack the internet of things (IoT) and supervisory control and data acquisition (SCADA).

A zero-day attack gets its name from the number of days the software developer has known about the problem. Also called Day Zero.

BREAKING DOWN 'Zero Day Attack'

A zero day attack can involve malware, spyware, or unauthorized access to user information. Users can protect themselves against zero day attacks by setting their software – including operating systems, antivirus software, and internet browsers – to update automatically and by promptly installing any recommended updates outside of regularly scheduled updates. That being said, having updated antivirus software will not necessarily protect a user from a zero day attack, because until the software vulnerability is publicly known, the antivirus software may not have a way to detect it. Host intrusion prevention systems also help to protect against zero day attacks by preventing and defending against intrusions and protecting data.

Think of a zero-day vulnerability as an unlocked car door that the owner thinks is locked but a thief discovers is unlocked. The thief can get in undetected and steal things from the car owner’s glove compartment or trunk that may not be noticed until days later when the damage is already done and the thief is long gone.

While zero-day vulnerabilities are known for being exploited by criminal hackers, they can also be exploited by government security agencies who want to use them for surveillance or attacks. In fact, there is so much demand for zero-day vulnerabilities from government security agencies that they help to drive the market for buying and selling information about these vulnerabilities and how to exploit them.

Zero day exploits may be disclosed publicly, disclosed only to the software vendor, or sold to a third party. If they are sold, they can be sold with or without exclusive rights. The best solution to a security flaw, from the perspective of the software company responsible for it, is for an ethical hacker or white hat to privately disclose the flaw to the company so it can be fixed before criminal hackers discover it. But in some cases, more than one party must address the vulnerability to fully resolve it so a complete private disclosure may be impossible.

In the dark market for zero-day information, criminal hackers exchange details about how to break through vulnerable software to steal valuable information. In the gray market, researchers and companies sell information to militaries, intelligence agencies, and law enforcement. In the white market, companies pay white hat hackers or security researchers to detect and disclose software vulnerabilities to developers so they can fix problems before criminal hackers find them.

Depending on the buyer, the seller, and the usefulness, zero day information might be worth a few thousand to several hundred thousand dollars, making it a potentially lucrative market to participate in. Before a transaction can be completed, the seller should provide a proof-of-concept (PoC) to confirm the zero-day exploit’s existence. For those who want to exchange zero-day information undetected, The Tor network allows for zero day transactions to be conducted anonymously using Bitcoin.


Zero-day attacks may be less of a threat than they sound like. (L5) Governments may have easier ways to spy on their citizens (L5) and zero days may not be the most effective way to exploit businesses or individuals. (L5) An attack must be deployed strategically and without the target’s knowledge to have maximum effect. (L5) Unleashing a zero-day attack on millions of computers at once could reveal the vulnerability’s existence and get a patch released too quickly for the attackers to accomplish their ultimate goal. (L5)