Scrolling through the latest IT security news, the words ‘Zero Day’ loom large. Article after article warns of a devastating new vulnerability in the latest Windows or OS X release that requires urgent patching.
So, we get the impression they’re a bad thing. We might even rush to update our machines. But the question still remains for many. What exactly is a “zero day”?
##Just the Facts##
Despite the special designation, a zero day is simply a security bug in a program or operating system that will allow attackers to exploit a machine.
However, what makes a ‘zero day’ is all about timing. To be considered a zero day, the bug needs to have been discovered (and perhaps even acted on) before the developer is even aware of its existence.
This can occur just hours after a product release, but can also take days, weeks, months or even years to be uncovered and exploited.
##Market Value##
Once a Zero Day is stumbled upon, the discoverer has a choice: alert the software’s development team, or sell the exploit.
Selling the exploit need not always be a destructive action: reputable companies such as Apple and HP offer lucrative rewards for reporting zero days, and government agencies can offer up to six-figure payouts for a flaw in a widely-used operating system like iOS.
However, the discoverer might also choose the ‘dark road’ – selling the exploit on a Dark Web marketplace. If this option is taken, payouts can also fall into the six-figure range, but average around the $8,000 - $17,000 mark.
Not all discoverers are individuals, either. Many security firms, like FireEye, specialise in finding and alerting major companies of zero-day exploits.
##What Are Developers Doing?##
Software vendors must release timely ‘patches’, or security updates, in order to thwart zero day exploits. Depending on the company, these might be released regularly, or on a more ad-hoc basis.
A high-profile example of diligent patching is Microsoft, with their Patch Tuesday program releasing important security fixes on the second Tuesday of each month.
Meanwhile, an example of a less regimented update release cycle is Apple, whose patches are delivered as-needed, come with little fanfare (and also precious little explanation of what they’re fixing).
Both approaches have their strengths and weaknesses: Microsoft’s regular patches keep a majority of vulnerabilities covered, but can make security gaps more predictable for attackers, leading to a phenomenon called “Exploit Wednesday”.
However, Apple’s ‘see-no-evil’ ethos can be a double-edged sword, making a less-predictable climate for attackers, but leaving users in the dark as to whether or not they’re protected from the latest threats for OSX.
Most other tech players fall somewhere between these two extremes with their security patching.
The moral is that, despite the update cycle of the software you’re using, zero days are one of the main reasons it’s so important to run the most recent security updates.
Photo Credit: DafneCholet, via Compfight, Creative Commons