The seven days of Zero Day

Zero Day, a word that brings terror to the minds of most and will normally be followed by the pattering typing of malicious actors as they seize the moment. Although the name in its own right is flawed and overused.

On that note what does this actually mean? Well, looking at a few online sources we get the description of a Zero Day as being something along the lines of the following:

A zero-day (also known as zero-hour or 0-day) vulnerability is an undisclosed computer application vulnerability that could be exploited to adversely affect the computer programs, data, additional computers or a network. It is known as a “zero-day” because once the flaw becomes known, the application author has zero days in which to plan and advise any mitigation against its exploitation (by, for example, advising workarounds or issuing patches).


What this in turn means is that as soon as a; vulnerability, attack vector or any other form of attack becomes public knowledge it in turn loses its Zero Day handle. However if that’s the case what do we then call these ‘mutated’ Zero Days. This is also a crucial point as media distributions unknowingly create Marketing ‘hype’ by referring to such attacks by the buzz word ‘Zero Day’ instead of a true more precise name.

Saying all of this is great although at the moment there are no defining words for these mutated subsets of a Zero Day. After talking to industry professionals and toiling through other security related websites there does appear to be definitions for these subsets although they never appear all in the same place. Pooling all of this information we seem to have seven precise areas. These areas have been broken up to be concerned about three main areas:

  • The Attack Vector being public knowledge (news distributions or in the public domain).
  • The Attack Vector being patched (Knowingly or unknowing a target system has been patched against the attack).
  • A proof of concept exists for the Attack Vector (the attack is practically executable against a target system).

The below diagram splits these seven subsets out into those that fall into each of these areas. Subsets may fall into between one and three of these areas. The diagram is presented from Zero day through to One day and finally to a Two day in a manner of a Most Vulnerable Model (This being from left to Right the attack success feasibility becomes less plausible) being in the context of a system and on a target by target basis.

Zero Day:

As stated previously a Zero Day is an example of an attack vector where only a proof of concept exists for it while remaining outside of public knowledge as well as the target remaining un-patched. This proof of concept can comprise of any plausible way of performing the attack against the target. This can be the knowledge of between one to a group of threat agents.

Zero Point One Day – PreDay:

Here we have an attack that is in the public domain and is widely known about while has no current proof of concept attack vector and has currently not been patched. An example of an attack such as this may be brute forcing a new cryptography function, this being the case as it may be theoretically possible however at this current time no computing power exists to perform such an attack.

Zero Point Two Day – PatchDay:

This is where we have an attack vector that has consciously or unconsciously been patched and is no longer vulnerable against the targeted attack. An example of this would be an administrator updating their system and in turn removing an unknown vulnerability in the system. Another example of this would be an administrator noticing an attack surface in their system and patching it before such hole can be exploited.

One Day:

A One Day is similar to a Zero Day where a proof of concept exists for the attack however with a One Day the attack vector is also public knowledge. These are normally what we see on the news after massive company breaches and what the media unknowingly refer to as Zero Days.

One Point One Day – CrunchDay:

This subset is where a proof of concept exists for the attack vector however the target system has in turn been patched and safeguarded against the attack. This subset is still not public knowledge so in turn all of this is done outside of the public domain. This subset is also the only subset apart from a Two Day where signatures can be built against the attacks and where security analysts can start actively  monitoring such attacks.

One Point Two Day – PostDay:

This is an example where the target systems for the attack vector have been actively patched as well as the attack vector as a whole being public knowledge. This could in turn derive from a similar example from the Zero Point One Day where a new cryptography function is created that is vulnerable to a brute force however in turn no computing power exists to perform it. This subset however covers the possibility of targeted systems being patched with a fix to subvert and fix the brute force attack while still no threat agents have been able to perform the attack.

Two Day:

This final subset incorporates all three areas and is the final subset to be covered. This subset covers the scenario of an attack at the end of its life cycle where; it is public knowledge, the attack surface has been patched and there is a practical proof of concept attack out there. An example of this could be performing an SQL injection attack against a hardened system that has been patched against the attack. The attack is well know, is patched and the attacker has a practical attack vector. This subset along with a One Point One Day allows for signatures to be built against the attack vector and in turn allowing security analysts to start actively monitoring such attacks.

Image Source:

James Stevenson

Im a Cyber Security enthusiast that loves all things to do with technology. I'm specifically interested in cyber security and ethical hacking.

You may also like...