When a person writes a malicious program that takes advantage of a newly discovered security hole — a hole that even the manufacturer doesn’t know about — that malicious program is a 0day exploit. (Fuddy-duddies call it “zero-day exploit.” The hopelessly hip say “zero day” or “sploit.”)
0days are valuable. In some cases, very valuable. The Trend Micro antivirus company has a subsidiary — TippingPoint — that buys 0day exploits. TippingPoint works with the software manufacturer to come up with a fix for the exploit, but at the same time, it sells corporate customers immediate protection against the exploit. “TippingPoint’s goal for the Zero Day Initiative is to provide our customers with the world’s best intrusion prevention systems and secure converged networking infrastructure.” TippingPoint offers up to $10,000 for a solid security hole.
Rumor has it that several less-than-scrupulous sites arrange for the buying and selling of new security holes. Apparently, the Russian hacker group that discovered a vulnerability in the way Windows handles WMF graphics files sold its new hole for $4,000, not realizing that it could’ve made much more. In 2012, Forbes Magazine estimated the value of 0days as ranging from $5,000 to $250,000.
Bounties keep getting bigger. Google’s Pwnium competition offers up to $2.7 million for hacks against its Chrome OS, and significant bonuses for other cracks. The Zero Day Initiative (from TippingPoint) now offers more than $500,000 in prize money for the best cracks in the Pwn2Own contest — and an additional $400,000 for the separate Mobile Pwn2Own.
According to Forbes, some government agencies are in the market. Governments certainly buy 0day exploits from a notorious 0day brokering firm. The problem (some would say “opportunity”) is getting worse, not better. Governments are now widely rumored to have thousands — some of them, tens of thousands — of stockpiled 0day exploits at hand.
How do you protect yourself from 0day exploits? In some ways, you can’t: By definition, nobody sees a 0day coming, although most antivirus products employ some sort of heuristic detection that tries to clamp down on exploits based solely on the behavior of the offensive program. Mostly, you have to rely on the common-sense protection.