Zero-Day Attacks

Microsoft releases patches for Windows on the second Tuesday of every month. Many of these patches are security patches, which fix specific known security vulnerabilities. But, it is not just Microsoft that releases security patches. Many vendors release patches regularly to fix security issues.

Sometimes an adversary starts taking advantage of a security vulnerability before the vendor is notified about it or at least before the vulnerability is publicly known. This is a zero-day. An attack where the vulnerability used in the attack was previously unknown. Besides just vulnerabilities, occasionally zero-day can refer to a new or previously unseen malware, attack, or threat.

Zero-day vulnerabilities can be difficult to obtain but are among the most successful attacks. Because of this they are greatly sought after and, when found, are often sold on the black market for a high cost. Zero-days are commonly associated with specific APT groups since they have the resources to find or purchase these zero-days.

Recently we have seen a number of vendors release bug bounties to try and reduce the number of zero-day attacks. The thought is that if a researcher finds a vulnerability they can sell it to the vendor rather then putting it on the black market. It is uncertain exactly how successful these programs are, but it does show the effort some companies are willing to go to try and eliminate security issues in their products.

The number of zero-days found each year are relatively small, typically in the low to mid double digits, but we have seen a steady growth of them over the past 10 years or so. Even though the number of zero-days are small the impact can be very large since a single zero-day will often affect many users.