When you see a typical computer security headline such as “exploit targets zero-day vulnerability in Chrome. Patch now!” pop up on your screen, you may not understand some of the terminology.
It’s not as complicated as it sounds once those definitions are explained in plain English. Our jargon buster helps put these terms into context.
We explain the following terms
Zero Day Vulnerability
Exploit
Security Patch
The developers who create software like the word processor we’re using for this article, or the browser you use to surf the Internet, or even the operating system installed on your computer, are always finding software bugs. Sometimes those software bugs are security vulnerabilities.
Security vulnerabilities aren’t good, but they’re an almost inevitable occurrence when creating large and complex software like browsers and operating systems. A security vulnerability could potentially allow a crook to launch some type of attack on the people who use the affected software. That’s especially bad if the security vulnerability is in software that lots of people use, like, for example, the Google Chrome browser.
The developers behind the software and professional security researchers are always on the hunt for security vulnerabilities, so they can fix them and release an update that goes to everyone using the software. If the update fixes security vulnerabilities, it’s known as a security patch. When someone advises you to patch now, it means to install the latest security patch on a specific piece of software you use. Most of the time these updates will install automatically unless you’ve changed that setting, and it’s always worth checking just in case.
Obviously it’s good for everyone (except the crooks) if the software developers or security professionals can spot the security vulnerabilities first, and fix them before someone tries to use them in a malicious way. Usually that’s exactly what happens, but not all of the time.
Sometimes the bad guys spot a security vulnerability first. Before anyone else. And they use that vulnerability to launch an attack on those who use the software. That’s called a zero day. It can also be elongated to a zero day attack, or the vulnerability itself could be referred to as a zero day vulnerability.
The term ‘zero day’ refers to the number of days the developers had to fix the vulnerability before it was being used by the bad guys to launch attacks. I.e. zero! They had no warning.
Zero day attacks are obviously bad because it could take some time to release a security patch, and in the mean time anyone who uses the software containing the vulnerability is at risk.
The term exploit refers to the actions or the software used to launch an attack against a security vulnerability. For example, if a crook develops a piece of software that specifically capitalises on the software vulnerability for malicious purposes, that software can be called an exploit. Alternatively if someone can perform a sequence of actions to launch an attack using the security vulnerability, it’s that sequence of actions that could be considered the exploit.
So the headline “exploit targets zero-day vulnerability in Chrome. Patch now!” will mean that crooks have found a security vulnerability in Google Chrome, have already created an exploit before Chrome’s developers even knew about it, but there is now a security patch available which you need to install ASAP!