November 27, 2006 12:12 PM PST

Security from A to Z: Zero-day

Zero-day is a high-alert label. It's used to refer to the fact a bug in a piece of software has been unearthed and is at risk of being exploited by hackers before a patch to fix it is available.

A full-blown attack against an unpatched flaw may even be under way--a zero-day exploit and a zero-day attack have both surfaced recently.

The result of any zero-day alert is a scramble to get a patch out fast.

The A to Z of security
Read the first part in our rundown of hot security topics, from antivirus to zero-day threats.

If the security risk is particularly critical, a third-party security company may step in and issue an unofficial quick-fix interim patch that users can download and install for temporary protection until the bona fide fix is available.

Back in September, the aptly named Zeroday Emergency Response Team, or ZERT, released a quick fix for an Internet Explorer flaw. Microsoft got its own patch out a few days later--slower than ZERT but still ahead of Patch Tuesday, its regular monthly patch-issuing day.

Another issue here is with disclosure: when knowledge of vulnerabilities becomes public domain, hackers and security professionals know the race is on. Responsible disclosure will typically involve security researchers informing the company whose software is vulnerable that a flaw has been found, and the nature of the flaw.

Irresponsible disclosure will see a vulnerability discovered and its details posted online or otherwise revealed in a public forum.

The line between the two is not always clear, though, and improper disclosure could often be responsible for this zero-day lag between vulnerability discovery and patch availability.

Natasha Lomas reported for in London.

See more CNET content tagged:
disclosure, patch, hacker, flaw, security


Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.