The Zero-Day Lie / “零日”谎言

The word zero day gets thrown around in cybersecurity like confetti. Every other week there is a new headline. Fresh vulnerability disclosure and someone calls it a zero day. Log4Shell variant shows up in a different library and the tweets flood in saying zero day again. A CVE drops on a Tuesday and by Wednesday half the infosec timeline is calling it zero day. But the term has a precise meaning. And we have almost completely abandoned it.

在网络安全领域，“零日”（zero day）这个词被用得像五彩纸屑一样泛滥。几乎每隔一周就会出现新的头条新闻。一旦有新的漏洞披露，就有人称其为“零日”。Log4Shell 的变体出现在另一个库中，推特上又是一片“零日”的惊呼。周二发布一个 CVE（通用漏洞披露），到了周三，半个信息安全圈的时间线都在称其为“零日”。但这个术语有着精确的定义，而我们几乎已经完全抛弃了它。

The original definition is specific. A zero day vulnerability is one that is unknown to the vendor and unknown to anyone capable of mitigating it. The zero means the vendor has had zero days to fix it because they do not even know it exists yet. An exploit that targets one of these is a zero day exploit. An actual attack in the wild is a zero day attack. Not close. Not new to you. Not something you personally just found out about. Unknown. To the vendor. To defenders. To everyone.

其原始定义非常明确：零日漏洞是指供应商和任何有能力缓解该漏洞的人都未知的漏洞。“零”意味着供应商有零天的时间来修复它，因为他们甚至还不知道它的存在。针对此类漏洞的攻击代码被称为“零日漏洞利用”（zero day exploit），而在现实中发生的实际攻击则被称为“零日攻击”。它不是“接近”零日，不是对你而言“新鲜”，也不是你个人刚刚发现的东西。它是未知的——对供应商未知，对防御者未知，对所有人未知。

The term itself comes from the warez scene where zero day software meant software obtained before its official release day. Day zero. You got it before anyone else could. Eventually the term migrated into vulnerability research and took on the more specific meaning we use now. Or at least the meaning we are supposed to use.

这个术语本身源于“warez”（盗版软件）圈子，当时“零日软件”指的是在正式发布日期之前获得的软件。第零天（Day zero），意味着你在其他人之前就得到了它。最终，这个术语迁移到了漏洞研究领域，并采用了我们现在使用的更具体的含义。或者至少，是我们本应使用的含义。

Here is what actually happens in practice. A vulnerability is discovered by someone. Could be a researcher. Could be an intelligence agency. Could be a threat actor. That vulnerability gets traded on dark markets. It gets stockpiled. It gets used quietly in targeted operations that never make headlines. Months go by. Maybe years. The Rand Corporation published research showing the average zero day exploit remains usable for almost seven years. Seven years of being actively exploitable while no one with the ability to fix it knows it exists.

在实践中，情况往往是这样的：某人发现了一个漏洞，可能是研究人员、情报机构或威胁行为者。该漏洞在暗网市场上被交易、被囤积，并被悄无声息地用于从未登上头条的定向行动中。几个月过去了，甚至几年。兰德公司（Rand Corporation）发布的研究显示，一个零日漏洞利用平均可以保持可用状态近七年。在这七年里，它处于可被积极利用的状态，而任何有能力修复它的人却根本不知道它的存在。

Then one day a vendor finds out. Or a researcher publishes. Or a breach happens that forces disclosure. And suddenly it is a zero day. Headline writers love that word. It sounds scary. It sounds fresh. It sounds like something brand new just crawled out of the shadows and is about to get everyone except it has probably been kicking around for ages.

直到某天，供应商发现了它，或者研究人员将其公之于众，又或者发生了一起迫使漏洞披露的入侵事件。于是，它突然就成了“零日”。标题党们喜欢这个词，它听起来很吓人，很新鲜，听起来像是某种刚从阴影中爬出来、即将威胁到所有人的新事物——尽管它可能已经在暗处存在了很久。

This is not semantics. Language shapes how we think about risk. When every vaguely interesting CVE gets called a zero day the word stops meaning anything. Teams become desensitised. They hear zero day and think same as every other alert. They have heard it fifty times this month alone for things that have been in the wild since before some of them graduated.

这不仅仅是语义问题。语言塑造了我们对风险的思考方式。当每一个稍微有点意思的 CVE 都被称为“零日”时，这个词就失去了意义。团队变得麻木，听到“零日”就觉得它和其他警报没什么两样。仅这个月，他们就已经听过五十次这个词了，而那些漏洞在某些人毕业之前就已经在野外存在了。

Meanwhile true zero days are genuinely terrifying. These are vulnerabilities that no defender has ever seen. No signatures exist. No behavioural detection catches them. No patch is coming because no one knows there is a problem. Stuxnet used four of them. EternalBlue was one for years before the Shadow Brokers dumped it. These are the ones that keep security architects up at night.

与此同时，真正的零日漏洞确实令人恐惧。这些漏洞是防御者从未见过的，没有特征码，没有行为检测能捕捉到它们，也没有补丁会到来，因为没人知道存在问题。震网病毒（Stuxnet）使用了四个这样的漏洞；“永恒之蓝”（EternalBlue）在被“影子经纪人”（Shadow Brokers）泄露之前，也曾作为零日漏洞存在了多年。这些才是让安全架构师彻夜难眠的威胁。

And the uncomfortable part. Governments buy these. The NSA had an entire unit dedicated to finding and purchasing zero days. China buys them. Russia buys them. Israel sells them. There is a thriving market where exploits that nobody knows about fetch millions of dollars and get quietly deployed against targets that never find out they were compromised. These vulnerabilities are zero day in the truest possible sense and they exist in massive numbers.

还有一个令人不安的事实：各国政府都在购买这些漏洞。美国国家安全局（NSA）曾有一个专门负责寻找和购买零日漏洞的部门。中国在买，俄罗斯在买，以色列在卖。这是一个繁荣的市场，无人知晓的漏洞利用可以卖出数百万美元，并被悄悄部署在那些永远不会发现自己已被入侵的目标身上。这些漏洞才是真正意义上的“零日”，而且数量庞大。

So is that new CVE everyone is calling a zero day actually a zero day. Probably not. Chances are someone else already knew about it. Chances are it has been quietly exploited or traded or stockpiled for longer than you realise. The only thing that is genuinely new is your awareness of it. Thinking something is unexplored when people have already been there for ages is the industry version of zero day. It only looks new from where you are standing.

那么，每个人都在称之为“零日”的那个新 CVE，真的是零日吗？很可能不是。很有可能别人早就知道了。很有可能它被悄悄利用、交易或囤积的时间比你意识到的还要长。唯一真正新鲜的，只是你对它的认知。当别人早已涉足其中时，你却认为它是未被探索的，这就是行业版的“零日”——它只是从你所站的角度看起来很新而已。

The next time someone calls a vulnerability a zero day ask them one simple question. If the vendor has already issued a patch does it really count. If researchers have known about it for months does it really count. If there are already signatures in major threat intel feeds does it really count. Probably not. It is just new to you. And that is not the same thing.

下次当有人称某个漏洞为“零日”时，问他们一个简单的问题：如果供应商已经发布了补丁，它还算吗？如果研究人员已经知道它好几个月了，它还算吗？如果主流威胁情报源中已经有了特征码，它还算吗？很可能不算。它只是对你来说是新的，而这完全是两码事。