A zero-day vulnerability is a software flaw that attackers exploit before the developer knows it exists or before a patch is available. Understanding them helps you understand how modern security defends against the unknown.
A zero-day vulnerability is a security flaw in software that is unknown to the software vendor and therefore has no official patch or fix available. The term "zero-day" refers to the number of days the developer has had to address the problem — zero days, because the vulnerability is either unknown to them or known and unpatched. A zero-day exploit is malicious code that takes advantage of a zero-day vulnerability to compromise systems. The window between vulnerability discovery by attackers and patch availability from the vendor is the period of maximum exposure — during this window, every system running the vulnerable software is potentially at risk and no official remediation exists.
The lifecycle of a vulnerability illustrates the zero-day concept. A researcher or attacker discovers a flaw in software. If a security researcher discovers it (sometimes called a "white hat" finding), responsible disclosure practice involves notifying the vendor privately and giving them a defined period (typically 90 days, per Google Project Zero's standard) to release a fix before public disclosure. If a criminal or state-sponsored attacker discovers it first, they keep it secret to maintain offensive value — the longer a zero-day remains secret and unpatched, the more valuable it is for continued exploitation. Some zero-day vulnerabilities are held privately for years; Stuxnet (the nation-state malware targeting Iranian nuclear facilities) used four simultaneous zero-day exploits, demonstrating the capability and willingness of nation-state actors to stockpile and use zero-days strategically.
The market for zero-day exploits is a significant and well-documented phenomenon. Government agencies, private intelligence contractors, and criminal organisations pay substantial sums for undisclosed zero-day vulnerabilities in high-value targets. Zerodium, a commercial vulnerability broker, publicly lists acquisition prices: up to US$2.5 million for a zero-click iOS exploit that requires no user interaction. This economic dynamic incentivises finding and selling zero-days rather than reporting them to vendors, contributing to the volume of unpatched vulnerabilities being actively exploited. Hong Kong Businesses: Implementation Guide">for Hong Kong Online Banking: What You Need to Know">for Hong Kong Online Banking: A Complete Guide">for Hong Kong SMEs: Where to Start">For Hong Kong organisations, the practical implication is that sophisticated attackers — particularly those with nation-state resources or connections — may have access to zero-day capabilities against commonly used software and platforms.
A zero-day exploit typically takes advantage of memory safety vulnerabilities — buffer overflows, use-after-free errors, type confusion bugs — in software that processes external input. Browser-based zero-days are particularly valuable because modern browsers are extremely complex codebases processing untrusted external content (web pages) continuously. A vulnerability in a JavaScript engine, a PDF rendering library, or a font parsing component can allow an attacker to execute arbitrary code in the context of the browser process when the victim visits a crafted page. From there, an additional escalation exploit may be needed to escape the browser's sandbox and execute code with full system privileges.
High-profile zero-day exploitation campaigns provide instructive examples. The Log4Shell vulnerability (CVE-2021-44228) in the Log4j Java logging library was disclosed in December 2021 and immediately exploited at mass scale against enterprise servers. Organisations had days to identify and patch all instances of the vulnerable library across their infrastructure — a severe challenge given that Log4j was embedded in thousands of applications, many of which organisations weren't aware of. Microsoft Exchange Server vulnerabilities (the HAFNIUM attacks, March 2021) used four zero-days chained together to achieve remote code execution and full server compromise — tens of thousands of Exchange servers globally were compromised before patches were deployed. The ProxyShell vulnerabilities affecting Exchange affected organisations in Hong Kong directly given the widespread Enterprise Exchange deployment in HK businesses.
Nation-state actors targeting Hong Kong organisations have been documented using zero-day exploits. Multiple reports from security researchers including those at Mandiant, FireEye, and Kaspersky have documented APT groups with known connections to state-level resources using zero-day exploits against targets in HK, particularly during periods of heightened geopolitical tension. APT41 (a China-nexus group attributed by the US DOJ), APT10, and multiple other groups have been observed using both publicly known exploits and suspected zero-days against targets in Hong Kong's financial, legal, and political sectors. For organisations that may be targeted based on their work or associations, proactive threat hunting and EDR capabilities (not just reactive antivirus) are appropriate defensive measures.
Since zero-day exploits have no signature (the vulnerability and exploit code are unknown when they first appear), signature-based antivirus cannot detect them. The detection mechanisms that address zero-days are behavioural: exploit protection modules monitor for the post-exploitation behaviour that is characteristic regardless of the specific vulnerability being used. When an exploit successfully runs, it typically attempts to perform recognisable actions: spawning unexpected child processes from normally non-interactive applications (a browser spawning PowerShell, for example), injecting code into other processes, disabling security tools, making unusual network connections, or writing files to sensitive system locations. These behaviours are detectable even without knowing the specific vulnerability used.
Memory protection technologies specifically address the memory safety vulnerability exploitation that characterises most zero-day exploits. ASLR (Address Space Layout Randomisation), DEP/NX (Data Execution Prevention/No-Execute), Control Flow Guard (CFG), and Arbitrary Code Guard (ACG) are OS-level mitigations built into modern Windows, macOS, and Linux that make exploitation significantly harder by randomising memory layouts and preventing code execution from data regions. Security products like Malwarebytes Premium add a layer of application-level exploit mitigation on top of OS protections: heap spray protection, forced ASLR for applications that don't implement it themselves, and anti-process-hollowing detection. These mitigations don't prevent the vulnerability from existing but make successful exploitation dramatically harder.
Machine learning-based detection in modern NGAV products provides another zero-day defence layer. ML models trained on vast datasets of malware samples learn statistical patterns that correlate with malicious intent — patterns that may be present in novel zero-day exploit payloads without those specific payloads having been seen before. While no ML model achieves 100% detection of novel malware, high-quality NGAV platforms demonstrate meaningful zero-day detection capability in independent tests that use never-before-seen malware samples (AV-TEST's "zero-day malware and web attacks" test category specifically measures this). EDR platforms with cloud-based threat intelligence can correlate newly seen behaviours across their entire customer base, identifying zero-day exploitation patterns when they appear in multiple places simultaneously.
The most effective measure against zero-day exploitation is reducing attack surface — the fewer software components you run that process untrusted external input, the fewer potential zero-day targets exist on your systems. Keep only necessary software installed and remove applications you don't use regularly — each application represents potential zero-day risk. Keep all software updated aggressively, including browser plugins, PDF readers, and media players. While updates don't address zero-days (by definition), they rapidly address known vulnerabilities that often remain exploitable because organisations are slow to patch. In practice, the majority of mass exploitation campaigns use recently disclosed-but-not-yet-patched vulnerabilities, not true zero-days — fast patching is thus highly effective.
Browser security settings provide meaningful zero-day risk reduction. Using browser features that reduce attack surface: disable JavaScript where possible on untrusted sites using extensions like uBlock Origin (which blocks malicious advertising networks that deliver zero-day exploits via malvertising); use browser isolation or private/incognito mode for high-risk browsing; keep browsers updated to the latest version (browser vendors release updates very rapidly after zero-day disclosure); and consider using a dedicated browser instance for financial transactions rather than general browsing. For organisations, browser isolation technologies that execute browser sessions in cloud environments eliminate the risk that successful browser exploitation can reach the user's actual device or network.
For organisations at elevated risk of targeted attacks using zero-days — financial institutions, law firms with high-profile clients, civil society organisations, media companies, and businesses with geopolitically sensitive operations in Hong Kong — additional protective measures are warranted. Microsoft Defender's Attack Surface Reduction (ASR) rules block specific commonly-exploited behavioural patterns regardless of signature. Application allowlisting (only pre-approved applications can execute) prevents zero-day payloads from running even after successful exploitation of a delivery vector. Network segmentation limits the blast radius if exploitation succeeds. And for specifically high-risk individuals, Apple's iOS Lockdown Mode provides extreme hardening against zero-click mobile exploits at the cost of some functionality. Security is always a balance between protection and usability — the appropriate level depends on who is likely to be targeting you and why.
