Software security flaws with devastating potential
A zero-day vulnerability is a software flaw that is unknown to the vendor, or which they have just become aware of but haven’t yet fixed.
Typically, when flaws in computer programs which may lead to security issues are discovered, the software company will be notified and given time to patch up the problem. Google’s Project Zero, for example, which actively looks for flaws in software, mostly gives companies 90 days to fix vulnerabilities before publishing their details. This gives companies the chance to address issues before attackers become aware of them and can exploit them.
When a vulnerability is known as ‘zero-day’ it has only just been discovered – the developer has had zero days to fix it. Sometimes, it is hackers who find vulnerabilities in software and are able to use them to compromise a computer system. If the developer fails to fix the problem before it is exploited by hackers, this is known as a zero-day attack.
A spate of zero-day attacks has recently led to the theft of funds from cryptocurrency exchanges. Coinbase, for example, was targeted by hackers who tried to exploit a zero-day vulnerability in Mozilla Firefox to gain access to browser data. If successful, this would have given the hackers access to account information and passwords.