On April 22, 2022, Nate Warfield of Prevailion published an article on Threatpost on the topic of zero days. I’m a little late to this article, but because this horse still has some life in it apparently, I feel obligated to once again point out how the term ‘zero day’ has basically lost all meaning. In this article some of the content is jumping up and down waving “hey look at how ridiculous I am”.
But, regardless of the software package, zero-day vulnerabilities are still hard to find, expensive to develop exploits against and are quickly rendered useless once they’re made public.
First, every vulnerability is a zero day at some point, no matter how short lived. Once it is shared publicly or when the vendor is notified it loses that status. So a zero day is not hard to find, at all. A zero day in a high-profile piece of software that requires little or no user interaction and can be exploited across the internet is harder to find. But as Nate himself notes, “rarely a month goes by without the infosec industry being plagued by a new zero-day apocalypse.” So they can’t be that hard to find, right?
Further, the second part of the original quote above says “quickly rendered useless once they’re made public“, and he also says “A high-profile zero day gets attention, but its usefulness at scale is generally measured in days or weeks.” Nate also quickly dispels that myth himself too though. Just a few paragraphs below he says:
… attackers don’t need to use zero days when organizations aren’t keeping up with their patching. … On January 21, CISA added CVE-2006-1547: 16 years after the vulnerability was found, it’s still being used by attackers.
So that 2006 vulnerability wasn’t rendered useless once public. More recent, but consider CVE-2017-11882 and search out the extensive list of threat actors still using it and the long list of campaigns it has been a part of. Zero days only get rendered useless when a vast majority of organizations patch the vulnerability but we as InfoSec practitioners know that simply doesn’t happen.
With that, we need to decide if a zero day is effective for days or weeks, or if it is long lasting. Can’t have it both ways here and all evidence points instead to the fact the term has lost all meaning.
So let’s be clear on the definition again; a zero day is a vulnerability that was unknown to the vendor and discovered via exploitation in the wild. Once it becomes public, or becomes known to the vendor, it is formerly a zero day… to some people at least. Others factor in if there is a viable mitigation like a patch or upgrade and that until one exists, it is still a zero day. Factoring both variations in, we can say that once a vulnerability is made public and a patch is made available, it then moves from a zero day to what many call a “one day” (or variations of it).
But does that really cover it? What about a vulnerability posted to the Full Disclosure mail list that never makes its way to the vendor so a patch is never developed. Ten years later, is it a zero day? Many would argue no, that publication in that manner strips it of the zero day designation. So we’re back to square one with a term that has really lost all meaning due to how nebulous it is.
For me, a zero day is a vulnerability that was previously unknown to the vendor, has no patch, and was exploited in the wild. Once it becomes public it is no longer a zero day but obviously still a significant threat to many organizations. It’s easy to refer to it as a zero day in the past tense, easy to convey information, and you can ignore any debate about the zero day status at that point and instead, just patch the damn vulnerability.