A malware attack that takes place after it is discovered and before the vendor of the vulnerable software deploys a patch, typically to the OS or Web browser. When a vulnerability is discovered by a user, it may wind up on one or two blogs, and the news travels fast. If only the software vendor becomes aware of it, the tendency is to keep the problem under wraps until a patch has been created to fix it. However, in many cases, vendors announce the flaw because users can then steer clear of the infected website or be sure to avoid opening a certain email attachment. See exploit.
Abbreviated as 0-day exploit, it capitalizes on vulnerabilities right after their discovery. Thus, zero-day attacks occur before the security community or the vendor of the software knows about the vulnerability or has been able to distribute patches to repair it. For this reason, these exploits allow crackers to wreak maximum havoc on systems. The term “0-day” relates to the fact that the value of exploits decreases rapidly as soon as they are announced to the public. The next day after the announcement, for example, exploits are half as valuable to crackers. By the second day after the announcement, they are one-fourth as valuable, and 10 days later, they are one one-thousandth as valuable as on day 0. Today’s Internet is a large, unsafe cyber-neighborhood. If someone connects a freshly loaded Windows system without patches to the Internet, in about 10 or 20 seconds following the connection, the system will be attacked. Even worse, with zero-day exploits, a patch may not be available. For this reason, software companies encourage security “bug” finders to report the bugs to them immediately so that they can write a patch and distribute it to customers. But one controversial researcher by the name of Dave Aitel does not want to do that. Aitel’s company, known as Immunity, Inc., attracted attention in January 2005 when it released details of a vulnerability in Apple’s operating system software—and did not tell the company. The result was that Apple computer customers were aware of the software bug but had no way to fix it. Aitel’s customers were told about the flaw back in June 2004. For a number of reasons, though some security professionals have labeled the Aitel Company’s behavior as being unethical, the company believes it is giving customers vulnerability information in greater detail than most vendors would provide. Because of this hype, larger companies seem to be paying $100,000 to join Immunity, Inc., a private “software vulnerability-sharing” club. Smaller companies have to pay only $50,000 to join, and any company joining the club must sign a nondisclosure agreement. On May 10, 2005, the Mozilla.org company issued a public statement saying that it discovered a “zero-day” exploit code taking advantage of vulnerabilities in its Mozilla Firefox 1.0.3 browser and, to some extent, its Mozilla Firefox Suite. Graham, R. Hacking Lexicon. [Online, 2001.] Robert Graham Website. http://www.linuxsecurity.com/resource_files/documentation/hacking-dict.html; Gray, P. Are Vulnerable Times Responsible Times? [Online, March 2, 2005.] CNET Networks, Inc. Website. http://software.silicon.com/security/0,39024655,39128296,00.htm; Thomas, B.D. Serious Firefox, Mozilla Vulnerabilities Surface. [Online, May 10, 2005.] Guardian Digital, Inc. Website. http://www.linuxsecurity.com/content/view/119086; Wilson, C. CRS Report for Congress: Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress. [Online, October 17, 2003.] CRS Report Website. http://www.fas.org/irp/crs/RL32114.pdf.