Exactly what is a zero-day vulnerability?

When it comes to zero-day vulnerabilities, it means we don't know about a security problem until it's too late.
When it comes to zero-day vulnerabilities, it means we don't know about a security problem until it's too late.

A zero-day vulnerability is a hole or flaw in a software program for which there is no patch or fix, usually because the vulnerability is unknown to the software vendor [sources: Hoffman, Symantec].

The term comes from the fact that developers have "zero days" from the time the flaw is discovered to protect against a possible cyberattack. In some cases, an attack itself is the first indication the security problem exists [sources: Bu, Palermo, PC Tools, Peterson].


Once a software vendor discovers a zero-day vulnerability, programmers scramble to correct the flaw and release an update containing the necessary patch. If the vulnerability is exploited by cyber criminals before it can be corrected, the resulting attack is called a zero-day exploit or zero-day attack [sources: Palermo, PC Tools].

According to the 2014 Internet Threat Report published by Symantec, 23 zero-day vulnerabilities were discovered in 2013, more than in any other year the company has tracked [source: Symantec]. Fortunately, zero-day vulnerabilities are often reported to software vendors by "white hat" hackers (the good guys), and in July 2014, Google launched a team called Project Zero, whose mission is to identify and report flaws in widely used programs before they can be exploited for malicious purposes [sources: Evans, Palermo, Peterson].

Zero-day attacks have been used to steal sensitive customer data, gain remote access to computer systems and carry out industrial espionage [source: Peterson].

The Heartbleed bug, a zero-day vulnerability in the Open SSL encryption library used to secure traffic between Web servers and computers, existed for two years before its discovery in April 2014 [source: Strohm]. When it was first discovered, programmers were unsure whether the Heartbleed flaw had been exploited, but it is now believed to be the source of a hospital breach affecting 4.5 million patient records in the United States [source: BBC News].

In August 2014, Russian hackers were suspected of exploiting a zero-day vulnerability to hack into the computer systems of JPMorgan and at least four other U.S. financial institutions [source: Greenberg].


Lots More Information

Related Articles

  • BBC News. "US hospital hack 'exploited Heartbleed flaw.'" Aug. 20, 2014. (Aug. 27, 2014) http://www.bbc.com/news/technology-28867113
  • Bu, Zheng. "Zero-Day attacks are not the same as Zero-Day vulnerabilities." FireEye. April 24, 2014. (Aug. 27, 2014) http://www.fireeye.com/blog/corporate/2014/04/zero-day-attacks-are-not-the-same-as-zero-day-vulnerabilities.html
  • Evans, Chris. "Announcing Project Zero." Google Online Security Blog. July 15, 2014. (Aug. 28, 2014) http://googleonlinesecurity.blogspot.com/2014/07/announcing-project-zero.html
  • Greenberg, Adam. "Reported breaches involving zero-day bug at JPMorgan Chase, other banks." SC Magazine. Aug. 28, 2014. (Aug. 28, 2014) http://www.scmagazine.com/reported-breaches-involving-zero-day-bug-at-jpmorgan-chase-other-banks/article/368690/
  • Hoffman, Karen Epper. "Less than zero: Zero-day vulnerabilities." SC Magazine. March 3, 2014. (Aug. 28, 2014) http://www.scmagazine.com/less-than-zero-zero-day-vulnerabilities/article/334571/
  • Palermo, Elizabeth. "What is a zero-day exploit?" Tom's Guide. Nov. 22, 2013. (Aug. 28, 2014) http://www.tomsguide.com/us/zero-day-exploit-definition,news-17903.html
  • PC Tools. "What is a Zero-Day Vulnerability?" (Aug. 27, 2014) http://www.pctools.com/security-news/zero-day-vulnerability/
  • Peterson, Andrea. "What is a 'zero-day' vulnerability?" The Washington Post. July 15, 2014. (Aug. 26, 2014) http://www.washingtonpost.com/blogs/the-switch/wp/2014/07/15/what-is-a-zero-day-vulnerability/
  • Robertson, Jordan and Michael Riley. "JPMorgan, Four Other Banks Hit by Hackers: U.S. Official." Bloomberg. Aug. 27, 2014 (Aug. 28, 2014) http://www.bloomberg.com/news/2014-08-27/customer-data-said-at-risk-for-jpmorgan-and-4-more-banks.html
  • Strohm, Chris and Jordan Robertson. "Heartbleed Hack Still a Threat Six Months After Discovery." Aug. 27, 2014. (Aug. 28, 2014) http://www.bloomberg.com/news/2014-08-27/heartbleed-hack-still-a-threat-six-months-after-discovery.html
  • Symantec. "2014 Internet Threat Report, Volume 19." April 2014. (Aug. 28, 2014) http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
  • Symantec. "Vulnerability Trends." (Aug. 27, 2014) http://www.symantec.com/threatreport/topic.jsp?id=vulnerability_trends&aid=zero_day_vulnerabilities