Mitigate zero-day vulnerabilities

Applies to:

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

To sign up for the Defender Vulnerability Management public preview or if you have any questions, contact us (mdvmtrial@microsoft.com).

Already have Microsoft Defender for Endpoint P2? Sign up for a free trial of the Defender Vulnerability Management Add-on.

A zero-day vulnerability is a flaw in software for which no official patch or security update has been released. A software vendor may or may not be aware of the vulnerability, and no public information about this risk is available. Zero-day vulnerabilities often have high severity levels and are actively exploited.

Vulnerability management will only display zero-day vulnerabilities it has information about.

Find information about zero-day vulnerabilities

Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft 365 Defender portal.

Note

0-day vulnerability capability is currently available only for Windows products.

Defender Vulnerability Management dashboard

Look for recommendations with a zero-day tag in the "Top security recommendations" card.

Top recommendations with a zero-day tag.

Find top software with the zero-day tag in the "Top vulnerable software" card.

Top software recommendations with a zero-day tag.

Weaknesses page

Look for the named zero-day vulnerability along with a description and details.

  • If this vulnerability has a CVE-ID assigned, you'll see the zero-day label next to the CVE name.

  • If this vulnerability has no CVE-ID assigned, you'll find it under an internal, temporary name that looks like "TVM-XXXX-XXXX". The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel.

Zero day example for CVE-2020-17087 in weaknesses page.

Software inventory page

Look for software with the zero-day tag. Filter by the "zero day" tag to only see software with zero-day vulnerabilities.

Zero day example of Windows Server 2016 in the software inventory page.

Software page

Look for a zero-day tag for each software that has been affected by the zero-day vulnerability.

Zero day example for Windows Server 2016 software page.

Security recommendations page

View clear suggestions about remediation and mitigation options, including workarounds if they exist. Filter by the "zero day" tag to only see security recommendations addressing zero-day vulnerabilities.

If there's software with a zero-day vulnerability and additional vulnerabilities to address, you'll get one recommendation about all vulnerabilities.

Zero day example of Windows Server 2016 in the security recommendations page.

Addressing zero-day vulnerabilities

Go to the security recommendation page and select a recommendation with a zero-day. A flyout will open with information about the zero-day and other vulnerabilities for that software.

There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed.

Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. You won't be able to select a due date, since there's no specific action to perform. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose "update."

Zero day flyout example of Windows Server 2016 in the security recommendations page.

Track zero-day remediation activities

Go to the Remediation page to view the remediation activity item. If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there's no actual action we can monitor. You can filter by remediation type, such as "software update" or "attention required," to see all activity items in the same category.

Patching zero-day vulnerabilities

When a patch is released for the zero-day, the recommendation will be changed to "Update" and a blue label next to it that says "New security update for zero day." It will no longer consider as a zero-day, the zero-day tag will be removed from all pages.