There are a few common, but slightly different definitions of zero-day attacks. Some define zero-day attacks as attacks on vulnerabilities that have not been patched or made public, while others define them as attacks that take advantage of a security vulnerability on the same day that the vulnerability becomes publicly known.
By the most generally definition, however, zero-day attacks (or zero-day exploits) are defined as attacks that target publicly known but still-unpatched vulnerabilities.
Software vulnerabilities may be discovered by hackers, by security companies or researchers, by the software vendors themselves, or by users. If discovered by hackers, an exploit will be kept secret for as long as possible and circulate only through the ranks of hackers, until software or security companies become aware of the vulnerability or of attacks targeting it. These types of attacks are defined by some as ‘less than zero-day’ attacks.
If a vulnerability is discovered by “the good guys” ? security companies or software vendors ? the tendency is to keep it under wraps until the software maker has a patch to fix it. In some cases, however, security researchers or software vendors may have to publicly announce the flaw because users could be able to avoid the problem, for instance by steering clear of a particular Web site or being sure to not open a certain e-mail attachment. Or the vulnerability might be discovered by a user and wind up on a blog or otherwise being publicly disclosed.
In these cases, the race is on ? good guys vs bad guys. Will the software vendor or a security company come up with a fix for the bug or will hackers learn how to exploit it before the vulnerability is patched?
In 2007, Windows XP, Windows Vista, Word, Excel, Internet Explorer, Firefox, QuickTime, RealPlayer,Yahoo! Messenger, Google’s Gmail, Adobe’s Portable Document Format (PDF), and many others were affected by zero-day exploits.
Often zero-day attacks targeting Microsoft software hit right after Microsoft delivers its patches. Cybercriminals have found that they can take advantage of Microsoft’s monthly security update cycle by timing new attacks just after Patch Tuesday–the second Tuesday of each month when Microsoft releases its fixes. These attacks will make Microsoft aware of the new vulnerabilities, but unless the vulnerabilities in question are extremely dangerous it will be a month before the software maker has a chance to respond. Security experts have coined the term “zero-day Wednesday” to describe that strategy.
In July 2007, threats posed by zero-day vulnerabilities were ranked by global IT decision makers as their topmost security concern. 53 percent of the respondents in a survey put zero-day vulnerabilities as the number one security concern, followed by hackers, cited by 35 percent, and malware and spyware.
According to one security company, the average vulnerability has a lifespan of 348 days before it is made public or patched, but some vulnerabilities live on for much longer. Those with the longest lifespan remain undetected for nearly three years.