Shimel has a good post on the whole 0day vulnerability thing.
He nails it. This has been a pet peeve of mine for a long time. A real 0day isn’t the time from when a vulnerability is announced until a patch is released.
A real zero day is a vulnerability no one knows about except those who discovered it. A zero day exploit is an attack against a non-public, unknown vulnerability.
A real zero day is bad juju. It slices through any signature based security defenses since there’s no known signature. If it’s on a common port, and you don’t detect it through some sort of behavioral based or impact based technique (like the server dying), it’s hard or impossible to stop.
A smart attacker with a true zero day implementing a targeted attack is extremely hard, if not impossible, to stop. Odds (for us) are a little better if they’re dumb enough to go for the mass exploit, thus setting off all sorts of alarms (maybe).
There are very few true zero day attacks. Even fewer on a large scale. Be thankful they don’t happen more often. Those “0day” protection tools you bought or compiled on your own probably won’t help a whole lot.
Layer the defenses, follow best practices, and realize you can’t stop them all.
Reader interactions
One Reply to “The Real Definition of a Zero Day”
As I stated in my initial support for Alan’s position I think he’s mostly nailed it. There is a distinct difference between an unknown vulnerability, and unknown vulnerability for which there’s an active exploit, a new vulnerability that’s not patched (what most people call a 0 day), and regular old vulnerabilities.