Zero-day protection

Source
Attack vectors

Malware writers are able to exploit zero-day vulnerabilities through several different attack vectors. For example, when users visit rogue (or black hat) Web sites, code on the site may exploit vulnerabilities in Web browsers. Web browsers are a particular target because of their widespread distribution and usage. Hackers can also send e-mail attachments via SMTP, which exploit vulnerabilities in the application opening the attachment.
Exploits that take advantage of common file types are numerous and frequent, as evidenced by their increasing appearances in databases like US-CERT.
Users with malicious intent can engineer malware to take advantage of these file type exploits to compromise attacked systems or steal confidential data.
Vulnerability window
Zero-day attacks occur when a vulnerability window exists between the time a threat is released and the time security vendors release patches.
For viruses, Trojans and other zero-day attacks, the vulnerability window follows this timeline:

• Release of new threat/exploit into the wild
• Detection and study of new exploit
• Development of new solution
• Release of patch or updated signature pattern to catch the exploit
• Distribution and installation of patch on user's systems or updating of virus databases

This process can last hours or days, during which networks experience the so-called vulnerability window. One report estimates the 2006 vulnerability window at 28 days.

Zero-day protection is the ability to provide protection against zero-day exploits. Zero-day attacks also can remain undetected after they are launched.
Many techniques exist to limit the effectiveness of zero-day memory corruption vulnerabilities, such as buffer overflows. These protection mechanisms exist in contemporary operating systems such as Apple's Mac OS X, Microsoft Windows Vista, Sun Microsystems Solaris, GNU/Linux, Unix, and Unix-like environments; Microsoft Windows XP Service Pack 2 includes limited protection against generic memory corruption vulnerabilities. Desktop and server protection software also exists to mitigate zero day buffer overflow vulnerabilities.
The use of Port knocking or Single Packet Authorization daemons may provide effective protection against zero-day exploits.
However these techniques are not suitable for environments with a large number of users.
Whitelisting technology effectively protects against zero day threats. Whitelisting will only allow known good applications to access a system and so any new or unknown exploits are not allowed access. Although whitelisting is effective against zero-day attack, unless it is combined with other
methods of protection such as HIPS or a blacklist of virus definitions it can sometimes be quite restrictive to the user.
The Zeroday Emergency Response Team, or ZERT is a group of software engineers who work to release non-vendor patches for zero-day exploits.