DEV Community

Security Cyber
Security Cyber

Posted on

The Zero-Day Lie

#cybersecurity #zeroday #infosec

The word zero day gets thrown around in cybersecurity like confetti.

Every other week there is a new headline. Fresh vulnerability disclosure and someone calls it a zero day. Log4Shell variant shows up in a different library and the tweets flood in saying zero day again. A CVE drops on a Tuesday and by Wednesday half the infosec timeline is calling it zero day.

But the term has a precise meaning. And we have almost completely abandoned it.

The original definition is specific. A zero day vulnerability is one that is unknown to the vendor and unknown to anyone capable of mitigating it. The zero means the vendor has had zero days to fix it because they do not even know it exists yet. An exploit that targets one of these is a zero day exploit. An actual attack in the wild is a zero day attack.

Not close. Not new to you. Not something you personally just found out about. Unknown. To the vendor. To defenders. To everyone.

The term itself comes from the warez scene where zero day software meant software obtained before its official release day. Day zero. You got it before anyone else could. Eventually the term migrated into vulnerability research and took on the more specific meaning we use now. Or at least the meaning we are supposed to use.

Here is what actually happens in practice. A vulnerability is discovered by someone. Could be a researcher. Could be an intelligence agency. Could be a threat actor. That vulnerability gets traded on dark markets. It gets stockpiled. It gets used quietly in targeted operations that never make headlines. Months go by. Maybe years. The Rand Corporation published research showing the average zero day exploit remains usable for almost seven years. Seven years of being actively exploitable while no one with the ability to fix it knows it exists.

Then one day a vendor finds out. Or a researcher publishes. Or a breach happens that forces disclosure. And suddenly it is a zero day. Headline writers love that word. It sounds scary. It sounds fresh. It sounds like something brand new just crawled out of the shadows and is about to get everyone except it has probably been kicking around for ages.

This is not semantics. Language shapes how we think about risk. When every vaguely interesting CVE gets called a zero day the word stops meaning anything. Teams become desensitised. They hear zero day and think same as every other alert. They have heard it fifty times this month alone for things that have been in the wild since before some of them graduated.

Meanwhile true zero days are genuinely terrifying. These are vulnerabilities that no defender has ever seen. No signatures exist. No behavioural detection catches them. No patch is coming because no one knows there is a problem. Stuxnet used four of them. EternalBlue was one for years before the Shadow Brokers dumped it. These are the ones that keep security architects up at night.

And the uncomfortable part. Governments buy these. The NSA had an entire unit dedicated to finding and purchasing zero days. China buys them. Russia buys them. Israel sells them. There is a thriving market where exploits that nobody knows about fetch millions of dollars and get quietly deployed against targets that never find out they were compromised. These vulnerabilities are zero day in the truest possible sense and they exist in massive numbers.

So is that new CVE everyone is calling a zero day actually a zero day. Probably not. Chances are someone else already knew about it. Chances are it has been quietly exploited or traded or stockpiled for longer than you realise. The only thing that is genuinely new is your awareness of it.

Thinking something unexplored when people have already been there for ages is the industry version of zero day. It only looks new from where you are standing.

The next time someone calls a vulnerability a zero day ask them one simple question. If the vendor has already issued a patch does it really count. If researchers have known about it for months does it really count. If there are already signatures in major threat intel feeds does it really count.

Probably not. It is just new to you. And that is not the same thing.

More at securitycyber.uk

Top comments (0)