What is zero-day exploit?
A Zero-Day Exploit is an attack exploiting a previously unknown vulnerability (in software or hardware). Zero-Day is the day the attack gets discovered as the exploit becomes “known” but without a fix (unpatched).
A threat actor/actors who had discovered the zero-day vulnerability (a weakness in the code) could develop malicious code to exploit the vulnerability and unleash a cyber attack or sell the malware to black market vendors in the deep web. Numerous malicious actors could be utilizing the malware for days, months or even years before it gets discovered.
On being alerted of the Zero-Day Exploit, the software manufacturer (vendor) analyzes the attack to find the exploit mechanisms and creates a patch. The patch is then made available to users of the software. Once the malware is discovered and a patch is developed it is no more called as a Zero-Day Exploit.
The Good Guys vs The Bad Guys
The Good Guys are researchers who on discovering a zero-day vulnerability report it to the software manufacturer (vendor). The vendor would then work on a fix and then release the fix (patch) to users of the software. The Good Guys will not disclose the vulnerability to the public, but rather give time for the vendor to work on the fix. However, if it is possible for the users to protect themselves, then the Good Guys will immediately disclose the vulnerability (bug).
Google has formed a Project Zero team dedicated to finding zero-day vulnerabilities. On discovering vulnerabilities (bugs), the Project Zero team reports the finding to the manufacturer and makes it publicly visible only after a patch has been released. Responsible disclosure: Google implements a responsible disclosure policy, by providing a 90-day-deadline to software manufacturers to fix the problem before disclosing it to the public, so that users can take appropriate measures to protect themselves from attacks.
The Bad Guys are those who do not report the zero-day exploit to the software vendor. Rather, they use it for cyber attacks themselves or sell it to threat actors on the deep web.
- A software manufacturer creates software and makes it public
- A threat actor/s discovers the vulnerability
- The threat actor/s creates code to exploit the vulnerability
- The threat actor/s implements the code to exploit the vulnerability or sells it
- Good guys spot the vulnerability and alert the software manufacturer – it is now a zero-day exploit
- The software manufacturer develops a fix and releases patches – it is no more called as a zero-day exploit