In today’s article, we’re going to go back to basics and explain what zero day vulnerability is and, ultimately, what you can do to stay safe online. Let us first define the term, shall we?
What is Zero Day Vulnerability?
A zero-day (or 0-day) is a computer-software vulnerability unknown to those who should be interested in its mitigation, which would include the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, other computers or an entire network. An exploit directed at a zero-day vulnerability is called a zero-day exploit, or zero-day attack.
Originally, the term “zero-day” referred to the number of days since a new piece of software was released to the public; in other words, “zero-day software” was obtained by hacking into a developer’s computer before release.
Later on, the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them. Once the vendor learns of the vulnerability, they will usually create updates or advise workarounds to mitigate it.
The more recently that the vendor has learned about the vulnerability, the faster it can release/develop a fix to the problem. Once that part is done, the chance of the exploit succeeding decreases as more users apply the fix over time.
Generally speaking, unless the vulnerability is inadvertently fixed, such as by a general update that happens to fix the vulnerability, the probability that a user has applied a vendor-supplied patch that fixes the problem is zero, meaning the exploit would remain available.
Window of vulnerability
The window of vulnerability is defined as the time from when a software exploit is first detected to the time when the number of vulnerable systems shrinks to insignificance. The timeline for each software vulnerability is defined by the following events:
- t0: The vulnerability is discovered
- t1a: A security patch is released
- t1b: An exploit becomes active
- t2: Most systems have applied the patch.
In that sense, the formula for the length of the window of vulnerability is: t2 − t1b.
It is important to note that t0 is not the same as day zero. And so, if a hacker is the first to discover the vulnerability (at t0), the vendor might not learn of it until much later (on day zero).
For normal vulnerabilities, t1b > t1a. This means that the software vendor was aware of the vulnerability and had time to publish a security patch (t1a) before any hacker could craft an exploit (t1b). For zero-day exploits, t1b ≤ t1a, the exploit becomes active before a patch is made available.
Hence, software vendors hope to reach t2 before t1b is reached, thus avoiding any exploits.
In practice, the length of the window of vulnerability varies between systems, vendors, and individual vulnerabilities. It is often measured in days, with one report from 2006 estimating the average to 28 days.
The U.S. federal government uses the Vulnerabilities Equities Process to determine on a case-by-case basis how it should treat zero-day computer security vulnerabilities — i.e. whether to disclose them to the public to help improve general computer security or to keep them secret for offensive use against its adversaries. The process has been criticized for a number of reasons, including restriction by non-disclosure agreements, lack of risk ratings, special treatment for the NSA, and less than a whole-hearted commitment to disclosure as the default option.
How to protect yourself from zero day vulnerabilities?
Since zero day vulnerabilities are generally unknown to the general public, it is often hard for an individual to stay safe over a period of time. The one thing all of us could do is exercise common sense and practice safe computing habits. This would include using an anti-virus, a VPN, and regularly updating all of our software.
Modern operating systems are already capable of protecting you against zero-day memory corruption vulnerabilities such as buffer overflows. They do this using heuristic termination analysis in order to stop attacks before they cause any harm.
However, sometimes hackers manage to get around these restrictions and could potentially cause havoc. Therefore, make sure that all the apps you use are up to date, and that you have both an anti-virus and a VPN running on all your devices.
It is our mission to help the world find a good VPN – and that’s where our page with Best of the Best VPNs kicks in. There, you will find the field-tested services that have been on this market for years. So, if you still don’t have a VPN, now’s the time to get one. Hop over to that page and take it from there. You can always thank us later. 😉