A Zero-Day Attack exploits a security vulnerability for which no patch exists. The term means developers have had zero days to address the flaw — it may even be unknown to them when exploitation begins.
The Window of Exposure — Five Phases
| Phase | Description |
|---|---|
| Pre-Discovery | Vulnerability exists but no one has identified it |
| Discovery | Identified but not yet announced |
| Announcement | Publicly disclosed — attackers become aware |
| Exploit | Automated exploit code published |
| Patch | Vendor releases a fix |
Real-World Example: PowerPoint Zero-Day
Malicious .ppt files exploited a memory-access error in Microsoft PowerPoint 2000–2003 and Office 2004 for Mac, allowing remote code execution with the logged-in user’s privileges. Microsoft recommended using the Office Isolated Conversion Environment (MOICE) as an interim workaround.
Zero-Day Protection Architecture
- Protocol Anomaly Detection — blocks traffic not conforming to protocol standards.
- Pattern Matching — removes high-risk file types by inspecting full packet payloads.
- Behaviour Analysis — identifies suspicious behaviours including DoS, DDoS, and port scans.
Defence Recommendations
- Apply the Principle of Least Privilege for all user access controls.
- Restrict active code (JavaScript, ActiveX) execution in browsers.
- Use Group Policy Objects in Active Directory to limit user access.
- Do not rely solely on antivirus — zero-day exploits evade signature detection until new signatures are released.
CISSP Made Easy 