0 / 10 flipped
Zero-Day Vulnerability
Tap to reveal
A software security flaw that is unknown to the vendor β they have had zero days to discover and fix it. The name describes the vendor's preparation time: none. All software is assumed to contain undiscovered vulnerabilities. The critical question is who finds a given flaw first: a security researcher who will report it, or an attacker who will exploit it. Until the vendor knows the flaw exists, no patch is possible.
Zero-Day Attack
Tap to reveal
An attack that exploits a vulnerability for which no patch or official mitigation exists. Attackers who discover an unknown vulnerability develop exploit code targeting it and launch attacks before the vendor can respond. Zero-day attacks cannot be stopped by patching (no patch exists) or by signature-based detection (no signature exists). They represent a race: the attacker races to exploit as many targets as possible; the vendor races to develop and distribute a fix.
Good Guys vs. Bad Guys: Who Finds Vulnerabilities
Tap to reveal
Both security researchers and attackers are constantly searching for undiscovered vulnerabilities. Good guys (researchers): share findings with the software vendor through responsible/coordinated disclosure, allowing a patch to be developed before any exploitation. Bad guys (attackers): keep findings secret, develop exploit code, and use the vulnerability while no patch exists. The outcome depends entirely on who finds the flaw first. Bug bounty programs incentivize researchers to find flaws before attackers do.
CVE (Common Vulnerabilities and Exposures)
Tap to reveal
A publicly maintained database of disclosed software vulnerabilities at cve.mitre.org. Each confirmed vulnerability gets a unique CVE ID (e.g., CVE-2023-2033), a description, severity score (CVSS), affected versions, and patch status. CVE provides common language β the whole security community refers to the same vulnerability by the same ID. CVE entries are created when vulnerabilities become public (typically at patch release). Zero-day attacks, by definition, occur before a CVE entry exists or before the public knows one is coming.
Why Antivirus Fails Against Zero-Days
Tap to reveal
Antivirus and most SIEM rules use signature-based detection β they match observed activity against a database of known attack patterns. A zero-day exploit has never been seen before, so no signature exists. A system actively being compromised by a zero-day exploit will show a clean antivirus result. This is why zero-day attacks are so dangerous and why behavioral detection (EDR) is the primary tool for finding them β EDR watches what processes do, not what they look like, and can flag anomalous behavior without a pre-existing signature.
April 2023 β Chrome Zero-Day
Tap to reveal
Google released an emergency patch in April 2023 for a high-severity Chrome zero-day being actively exploited. The flaw involved memory corruption in the V8 JavaScript engine combined with a sandbox escape. Memory corruption allowed the attacker to hijack execution within the Chrome renderer; the sandbox escape broke out of Chrome's process isolation to execute code at the OS level. Before the patch: no signature existed, antivirus showed clean. The attack was detected through behavioral anomalies (browser processes doing things browsers don't do).
May 2023 β Microsoft Secure Boot Zero-Day
Tap to reveal
Microsoft patched a May 2023 zero-day that allowed attackers to run self-signed code during the UEFI boot process, defeating Secure Boot. Secure Boot is designed to verify that only cryptographically signed, trusted code runs before the OS loads. By bypassing it, attackers could install firmware-level rootkits β malware that persists below the OS layer, surviving OS reinstallation, reimaging, and most security tooling (which runs after the OS loads). This is one of the most persistent attack forms possible.
May 2023 β Apple iOS/iPadOS Zero-Days (Three)
Tap to reveal
Apple issued emergency patches for three actively exploited iOS/iPadOS zero-days in May 2023: (1) Sandbox escape β broke out of iOS app isolation. (2) Sensitive information disclosure β read data the exploiting code should not have accessed (credentials, keys, personal data). (3) Arbitrary code execution β ran any attacker-chosen code on the device. All three were under active exploitation β real attacks were happening before the patches existed. The cluster demonstrates that even tightly controlled platforms like iOS have zero-day vulnerabilities.
Sandbox Escape
Tap to reveal
An exploit technique that breaks code out of an application's security sandbox β the restricted execution environment designed to contain a process and prevent it from accessing the OS or other applications. Modern browsers, mobile OSes, and many applications use sandboxing to limit damage from exploited processes. A sandbox escape allows attacker-controlled code to run in the broader OS context, accessing files, other processes, and the network. Sandbox escape was involved in both the April 2023 Chrome zero-day and one of the May 2023 Apple iOS zero-days.
Zero-Day Defense: What Works
Tap to reveal
Since you cannot patch the unknown, zero-day defense relies on defense-in-depth: (1) EDR / behavioral monitoring β detects post-exploitation anomalies without signatures. (2) Network segmentation β limits lateral movement after initial compromise. (3) Application sandboxing β contains blast radius; attacker must also escape the sandbox. (4) Least privilege β compromised process has limited permissions. (5) Rapid patch deployment β minimize exposure window once a patch is released. (6) CVE monitoring β know immediately when a patch for software you use is released.