"The problem is one of terminology," said Gadi Evron, security evangelist for Israel-based Beyond Security and a member of the recently formed Zeroday Emergency Response Team. "A zero-day [flaw] is a vulnerability the public does not know about and is used to attack in the wild," he said.

"Zero days are a real threat, although hyped as buzzword right now," Evron said. Dealing with them requires companies to put in multilayered defenses. "The patching of vulnerabilities is a huge issue by itself," he said. "But it needs to be clear, patches are not a solution to zero-day vulnerabilities, simply a solution to known ones. We still haven't gotten that right."

Understanding the true nature of a zero-day threat is important, regardless of the term used to define the problem, said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group. "Defense strategies need to change if the threat is unknown," he said. "You need to come up with better ways to deal with an exploit against an undercover vulnerability that is known only to the bad guys."

Defensive measures need to include components such as network behavior analysis and "white listing" to keep all but approved applications and services from running on a network, said Gerhard Eschelbeck, chief technology officer at Webroot Software Inc. in Boulder, Colo. "You've got to start thinking of what to do with zero-day threats outside of patching," he said. "There has to be more thinking in the industry about heuristic and behavioral models." "There is a lot of miscommunication and misunderstanding around what a zero-day threat is," said Amrit Williams, an analyst at Stamford, Conn.-based Gartner Inc. Much of that confusion results from the way some security vendors use the term when pitching their products, he said.

But "whatever nomenclature is used, there is a whole class of basically unknown exploits taking advantage of unknown vulnerabilities" that require a response beyond patching, Williams said.