What’s a Zero-Day Vulnerability?
The cybersecurity news is full of horror stories these days of companies patching terrible security vulnerabilities left and right. But one term keeps popping up throughout these reports, so much so it might have you wondering: What is a zero-day vulnerability?
When you read an article in the news (or in this newsletter) that talks about a company like Microsoft patching a zero-day vulnerability, it doesn’t necessarily refer to the threat itself in any meaningful way. “Zero-day” isn’t used to denote a security flaw that is as severe as they come. In fact, security researchers usually label severe vulnerabilities as “critical” in those cases.
However, you’ll often see zero-days labeled as critical because of what they are. In short, zero-days are vulnerabilities with exploits developers or researchers were not aware of until now. That’s bad news, because software developers always want to be the first to find a flaw in their software. If they see something wrong before anyone else, they can quietly work on a fix and issue a patch to their users with no one the wiser. However, a zero-day means someone outside the circle of trust knew about the flaw, threatening the user base.
When software developers discover a zero-day, either through their own research or through third-party discoveries, they jump into action, and race to develop a patch as soon as possible. In some cases, it isn’t clear whether bad actors have used an exploit to attack users of the software through the security flaw. In other cases, it’s apparent, in which case the zero-day is referred to as “actively exploited.” An actively exploited zero-day is the worst, because there are bad actors actively targeting customers, in which case a patch is required ASAP.
It’s essential to download and install any security patches as soon as they come in. However, in the event of a zero-day, it’s imperative. Installing a patch that fixes a zero-day flaw can mean the difference between your system being attacked and your system being protected.