When a new vulnerability in operating systems or widely used applications or application servers is discovered, there is a delay before vendors can create and distribute a patch. The time between the discovery and the release of the patch is called Zero Day.
Zero Day Exploits
Exploits may target end-user applications, especially web browsers. Also, widely used web server software is a frequent target. Application servers and operating system features are also common targets. The central element here is widespread use, where it is difficult and unlikely that all instances are patched, and unlikely that all owners and administrators will be aware of the vulnerabilities. Some attacks are automated, or are orchestrated to spread quickly and rapidly. If an attack has a high success rate, it can become a major problem quickly. When thousands of systems are compromised so quickly, catastrophe is possible. Discovering which systems are vulnerable and which were compromised takes significant time in large data centers as well.
The Zero Day Delay
Sometimes the vendor is notified prior to the publication of the vulnerability, to allow time for the vendor to work on or release a patch. In other cases, the vendor and the public are unaware. In these cases the zero day window of time can be much longer. Hackers can develop exploits and tools, test them, and distribute them widely during this time. It is often only when enough sites, servers, and networks are compromised that the vulnerability is taken seriously. Some security professionals monitor and research the hacker and criminal networks and sites, keeping abreast of the new software and discussions. "White hat" hackers hope to discover and document vulnerabilities before criminals or unethical hackers can. Modern operating systems and software are complex. New features, versions, and updates are released frequently, so a constant race and struggle exists between the criminal element and the creators of software.
Examples of Zero Day Attacks
In early December 2008, an Internet Explorer flaw was discovered in how the browser dealt with XML. It allowed for automatic download and execution of a malicious program. It took 8 days (an 8 day window) for the patch to be created and released. End user systems were compromised very quickly, and since the patch was not released as part of the normal patch cycle, many users did not know it existed until they became aware of a problem. Similarly, in 2005, the Zotob worms were created and released within one week of the announcement of a vulnerability in Plug and Play by Microsoft.
Sometimes threats can be minimized or eliminated even without the needed patches present. However, reconfiguration like this requires knowledge of the potential vulnerability, or luck. In many cases a whole category of vulnerabilities can be minimized or eliminated through the use of sound security practices. Defense-in-depth techniques, strong security implemented in servers and networks, and intrusion prevention solutions are all means to reduce the risks of zero day vulnerabilities. Vendors are also providing more protection against whole vulnerability categories, such as buffer overflow protection built-in to the OS. Intrusion Detection and Prevention systems, coupled with administrators that are aware and understand their platforms, are part of a strong defense as well.