Weissblick - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The difference between zero-day vulnerability and zero-day exploit

A zero-day vulnerability isn't the same as a zero-day exploit. Learn the difference between these two zero-day terms, as well as why they should be high priority on any CISO's patching list.

In any business environment continuously driven by software, flaws discovered and used by bad actors can be devastating. Problems discovered in firmware, hardware, OSes and software applications must be remedied by the developer and released as a software patch, which will fix the flaw so it no longer becomes a threat.

Yet, what if the developer never discovered a flaw? Alternatively, what if the developer discovered a flaw but didn't bother to fix it in a timely manner? This is what's known as zero-day. This term is used because the developer had literally no time -- zero days -- to fix the flaw before the bad guys knew about it. Thus, time is of the essence to get a patch released.

Getting a bit more technical, you'll often hear about two similar sounding -- yet very different -- zero-day terms. The first term is zero-day vulnerability. This is when software has a flaw known to the developer, but the developer does not yet have a patch ready to be released.

If a patch is not released in time, nefarious actors can create a zero-day exploit -- our second term. A zero-day exploit is a software package coded to take advantage of the known zero-day vulnerability. In most cases, a zero-day exploit is packaged as malware. Zero-day exploits are often highly successful until they become widely known and either the software is patched or other security measures are put in place to successfully identify and block the exploit.

Guarding against zero-days -- whether deemed vulnerability or exploit -- should be high on any CISO's priority list. The exploit takes advantage of exposed software without an available patch. As a result, CISOs must put security teams on notice when a known zero-day vulnerability is announced so they can work to remediate the risk a zero-day exploit could have on the organization.

This was last published in August 2019

Dig Deeper on Malware, virus, Trojan and spyware protection and removal