Zero-day exploits are often put up by renowned hacker groups. Typically, the zero-day attack exploits a bug that neither developers, nor the users, know about. Indeed, this is exactly what the malicious coders anticipate. By discovering a software vulnerability before the software's developers do, a hacker can make a worm or virus that can be used to exploit the vulnerability and harm computers.

Not all zero-day attacks actually take place before the software developers discover the vulnerability. In certain cases, the developers discover and understand the vulnerability; however, it may take some time to develop the patch to fix it. Also, software makers may occasionally postpone a patch release to avoid flooding users with several individual updates. If the developers find that the vulnerability is not extremely dangerous, they may decide to postpone the patch release until a number of patches are collected together. Once these patches are collected, they are released as a package. However, this strategy is risky because could invite a zero-day attack.

Zero-day attacks occur within a time frame, known as the vulnerability window. This extends from the first vulnerability exploit to the point at which a threat is countered. Attackers engineer malicious software (malware) to exploit common file types, compromise attacked systems and steal valuable data. Zero-day attacks are carefully implemented for maximum damage - usually in the span of one day. The vulnerability window could range from a small period to multiple years. For instance, in 2008, Microsoft revealed an Internet Explorer vulnerability that infected a few versions of Windows released during 2001. The date in which this vulnerability was initially discovered by the attacker is unknown, but the vulnerability window in such a case might have been as much as seven years.