Zero-day exploits these days are generally defined as attacks that target publicly known but still-unpatched vulnerabilities. Examples of such threats include an object tag flaw in Microsoft Corp.'s Internet Explorer Web browser made public in April and the more recent the Vector Markup Language (VML) vulnerability in IE. Both were considered zero-day threats because they were publicly disclosed, and exploited, before Microsoft had a chance to issue patches.
"According to accepted wisdom, organizations face the greatest danger when an attack or exploit targeting [such vulnerabilities] is verified in the wild," said Alan Shimel, chief strategy officer at StillSecure in Superior, Colo.
While that danger is obvious, it is equally important that companies remain on guard for undisclosed vulnerabilities or "less than zero-day" flaws that are unknown to anybody but attackers, Shimel said. Typically, such flaws are discovered only after they have been successfully exploited in an attack and are much harder to detect and stop using most standard antimalware tools, he said.
"People now think of zero day as the time [between] when a vulnerability becomes known to when a patch becomes available," Shimel said, adding that companies still tend to rely on patches and similar fixes to address the problem.
The definition of zero-day exploits does not generally include unknown vulnerabilities that also exist and are already being quietly exploited. "Somewhere along the line, our definition of a zero-day attack got changed" to mean only those vulnerabilities that have been made public, Shimel said. "It's time to put the emphasis back on the unknown attacks out there."
"The problem is one of terminology," said Gadi Evron, security evangelist for Israel-based Beyond Security and a member of the recently formed Zeroday Emergency Response Team. "A zero-day [flaw] is a vulnerability the public does not know about and is used to attack in the wild," he said.
"Zero days are a real threat, although hyped as buzzword right now," Evron said. Dealing with them requires companies to put in multilayered defenses. "The patching of vulnerabilities is a huge issue by itself," he said. "But it needs to be clear, patches are not a solution to zero-day vulnerabilities, simply a solution to known ones. We still haven't gotten that right."
Understanding the true nature of a zero-day threat is important, regardless of the term used to define the problem, said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group. "Defense strategies need to change if the threat is unknown," he said. "You need to come up with better ways to deal with an exploit against an undercover vulnerability that is known only to the bad guys."
Defensive measures need to include components such as network behavior analysis and "white listing" to keep all but approved applications and services from running on a network, said Gerhard Eschelbeck, chief technology officer at Webroot Software Inc. in Boulder, Colo. "You've got to start thinking of what to do with zero-day threats outside of patching," he said. "There has to be more thinking in the industry about heuristic and behavioral models." "There is a lot of miscommunication and misunderstanding around what a zero-day threat is," said Amrit Williams, an analyst at Stamford, Conn.-based Gartner Inc. Much of that confusion results from the way some security vendors use the term when pitching their products, he said.
But "whatever nomenclature is used, there is a whole class of basically unknown exploits taking advantage of unknown vulnerabilities" that require a response beyond patching, Williams said.
In many cases, such attacks are going to be hard to stop because they hit flaws no one but the attacker knows about. So companies need to implement measures for quickly identifying such attacks and limiting fallout -- including taking steps such as network segmentation, traffic filtering and using access controls, he said.
Even so, most organizations "are not experiencing pain" from "less than zero-day attacks," Williams said. For the moment, the biggest problem continues to be publicly disclosed flaws for which no patches exist, he said. One example is the Windows Metafile exploit earlier this year. "Most companies don't know how to deal with situations where patches don't exist" for a disclosed vulnerability, Williams said. That inadequacy is far more significant when a nonpublic vulnerability is involved, he said.