A 0-day (also written zero-day) is a vulnerability from computer security critical in software, an operating system or hardware, unknown of the developer and for which no patch yet available.
Its name comes from "day zero": the time elapsed between its discovery and the first available patch is zero.
A 0-day vulnerability is like leaving a door open in the wall without any guards to watch over it.
Alexandre SALQUE
๐ Characteristics of a 0-day vulnerability
- Not detected it is not yet known to the public or to the software vendor, nor is it listed in vulnerability databases (such as CVE)
- No patch available : since the developer is not aware of this, no patch to correct it.
- Exploited by attackers Hackers can use it to infiltrate systems, steal data or install malicious software.
๐ฅ What is a 0-day exploit?
A operation 0-day is a malicious program or code designed to take advantage of the flaw before a patch is released.
Example The feat EternalBlue (NSA, 2017), based on an unpatched Windows vulnerability, was used to propagate the ransomware WannaCry.
๐ดโโ ๏ธ Who uses 0-days?
- Cybercriminals for targeted attacks, cybercrime and ransomware, data theft... Ex: the group FIN7 using 0-days to target points of sale (POS).
- Governments and intelligence agencies for espionage, sabotage or cyber attacks. Ex : Stuxnet (2010), targeting Iranian centrifuges.
- Cybersecurity researchers to report vulnerabilities to companies (bug bounty, responsible disclosure). Ex: discovery of the flaw Log4Shell (2021) by a researcher.
๐ก๏ธ How can you protect yourself against 0-days?
- Regularly update software and systems.
- Use advanced security solutions (EDR, IDS, firewall...).
- Practice Zero Trust (not trusting software and users by default).
- Monitor threats and apply patches as soon as they become available.
Attacks 0-day are among the most dangerous because they target unknown vulnerabilities that are difficult to prevent!
๐ Figures for France and worldwide
๐ World
- Number of 0-days detected :
- 2023 : 97 0-day vulnerabilities exploited (Google Project Zero report).
- Increase of 50 % since 2020, linked to cyberwar (Ukraine, tensions between China and the United States).
- Cost of a 0-day exploit :
- On the dark web : 100 000 aห5millions depending on the target (iOS, Windows, etc.).
- Example: iOS 0-days sell for up to 2 million $ (sources Zerodium).
๐ซ๐ท France
- Attacks recorded :
- In 2022, 12 % of cyber attacks in France involved 0-days (report ANSSI)
- Target sectors: Health, energy, defence.
- Emblematic case :
- Software piracy Chรจque Emploi Service Universel (CESU) in 2021 via an undisclosed 0-day vulnerability
๐ฅ Recent examples of 0-day attacks
- Log4Shell (2021) :
- Vulnerability in the Java library Log4jwhich is used to take control of servers.
- Impact: 40 % of global businesses affected (source Check Point)
- Zoom (2020) :
- A 0-day flaw allowed attackers to take control of PCs via the application
- Pegasus (NSO Group) :
- Spyware using iOS/Android 0-days to monitor journalists and opponents
๐จ Why are 0-days so dangerous?
- Patch latency on average, 54 days are required to correct a vulnerability (source: Ponemon Institute)
- System complexity modern software (e.g. cloud, IoT) increases the number of attack surfaces
- Profitability a single 0-day can infect millions of machines (e.g. Conti ransomware)
๐ฎ The future of 0-days
- Generative AI Generative AI could automate the discovery of vulnerabilities.
- Cyber warfare 0-days become geopolitical weapons (e.g. Russia-Ukraine conflict).
- Controls The EU is working on legislation to regulate the sale of exploits (eg: NIS 2).
