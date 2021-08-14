A zero-day vulnerability is a "known" vulnerability that doesn't have a patch. We're talking about serious business here. Hackers highly value such flaws.\n\n\\\nSome say three-letters agencies and criminal organizations use them regularly.\n\n## Vulnerabilities vs. exploits\n\nIt's essential to know the difference. When you find a weakness in a computer system, that's a vulnerability.\n\n\\\nCool, but how do you exploit that?\n\n\\\nIn some cases, you cannot go for various reasons, for example:\n\n* you need to be authenticated\n* the system is too strong. You cannot test the vulnerability.\n* you lack public information to exploit the flaw\n\n \\\n\nIn a nutshell, a computer system can be vulnerable without being at risk, at least for now.\n\n\\\nUnfortunately for the victims, it's not uncommon those vulnerabilities become exploits.\n\n\\\nCybercriminals use exploits to infiltrate their systems. They run programs that automatically scan the target for vulnerabilities to deliver the appropriate malware.\n\nIt's called an **exploit kit,** and it's meant to pick the lock.\n\n## Known exploits vs. zero-day exploits\n\nKnown exploits are regularly published and documented by security researchers on exploit databases, so security professionals and software developers can keep updated.\n\n\\\nHowever, some exploits remain unknown or only known by cybercriminals. It's a particularly dangerous kind of exploit as it might remain unpatched for months and even years.\n\n\\\nThose zero-days can do many damages in the *wrong* hands like *the Keymaker* is in your team, and you can access the most secret backdoors in the world.\n\n\\\nThe stakes are high. Not only can hackers make lots of money with a zero-day, but the attack might scale up. At this moment, everything's going nuts, and you don't know *who's bad* anymore.\n\n\\\nThose backdoors are a highly strategic asset by nature. Google has [a dedicated project for them](https://googleprojectzero.blogspot.com/). In 2020, they had found and patched 11 zero-days, but, according to the MIT, they publicly exposed a nine-month counterterrorism hacking operation!\n\n\\\nThose vulnerabilities indeed affected Google's products, but not only, for example, iPhones have also been patched.\n\n\\\nIndeed, any government agency would likely keep such flaws secret to use them for intelligence purposes, but it's rather beyond my purview, and I don't want to look too much like a spy movie here 🤭.\n\n\\\n[Source: MIT](https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/)\n\n## What do people with zero-days?\n\nSo we saw zero-days may involve states and high stakes, but let's be a little more practical. States, agencies, or criminal organizations can use zero-days to spy on iPhone users in real life.\n\n\\\nThe famous Pegasus software has exploited zero-day vulnerabilities to infect iPhones and sneak into messaging platforms like WhatsApp or iMessage. It's easy to understand why this cutting-edge spyware is not free at all. Judging from what I've read, the service costs around $1,000,000.\n\n\\\nIt might seem a crazy price, but considering it only needs a telephone number to succeed, it's not that much, especially if the customer is a State. That would not be possible without zero days.\n\n\\\nAs you might guess, secret agencies and criminal organizations are not the only ones that want to keep zero-days private ^^. You have to be Google's elite team Zero to be allowed/able to disclose that.\n\n\\\n[Source: Google Zero - policy and disclosure](https://googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-edition.html)\n\n## Conclusion\n\nZero-days are a common concern. Many vulnerabilities likely remain unpatched, and the phenomenon is accelerating.\n\n\\\nFeatured Photo by [Claudio Schwarz](https://unsplash.com/@purzlbaum?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText) on [Unsplash](https://unsplash.com/s/photos/backdoor?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText).\n\nAlso published on <https://blog.julien-maury.dev/en/zero-day-is-the-new-oil/>