On a Tuesday in March 2025, Chrome shipped an emergency update for CVE-2025-0762, a vulnerability already under active exploitation. A financial services firm had been compromised hours earlier through what looked like a routine news article. No malicious download, no suspicious attachment, just a page that quietly triggered remote code execution the moment it rendered. Antivirus saw nothing. By the time the patch arrived, the attackers had already left with encrypted client data.
That's the defining shape of a zero-day. Every user on the internet is exposed during the window between when attackers discover a browser flaw and when vendors ship the fix. Patching is a necessary habit, but it isn't a defense by itself, because the exploit always runs first.
What a zero-day actually is
Imagine a house with a back door that's missing its latch. The owner doesn't know. Neither does the locksmith who services the neighborhood. An intruder who spots the missing latch first can walk in at will, night after night, and nobody notices until someone else happens to stumble on the same door. A zero-day is that back door. The "zero" refers to the number of days the vendor has had to fix it: the flaw is exploited before it's even acknowledged.
Every major browser has them. Chrome patched ten zero-days in 2024 alone, Firefox patched four, Safari patched seven. The rate is accelerating, not slowing down, because the attack surface keeps growing. Every new API (WebGL, WebAssembly, WebRTC, service workers) adds complexity and new classes of bugs for researchers and attackers to probe.
The uncomfortable part is what makes zero-days different from ordinary vulnerabilities. An attacker who holds one can target anyone, anywhere, without tools or telemetry that the victim could reasonably detect. All they need is to lure you to a page, and a page is easy to arrange.
The lifecycle of a zero-day
Every zero-day passes through a predictable sequence. Each phase tells you where your defenses work and where they don't.
- 1
Discovery
A researcher or attacker finds the bug. Ethical discoveries are reported to the vendor. The rest stay secret. Some zero-days sit quietly for months before their first use in the wild. - 2
Weaponization
The exploit is built. It's rarely a single bug. Most modern attacks chain a renderer flaw with a sandbox escape and then a kernel-level escalation. State actors stockpile complete chains and reserve them for high-value targets. - 3
Exploitation in the wild
The exploit ships through malicious ads, compromised websites, or spear-phishing links. Detection is hard because nothing about the delivery looks unusual, and antivirus has no signature to match against. - 4
Patch and disclosure
The vendor rushes a fix once abuse is detected. An advisory goes out asking everyone to update immediately. Most users don't update for days or weeks, and enterprises often take longer. - 5
Reuse in exploit kits
Commodity exploit kits pick up the patched vulnerability and target the long tail of unpatched systems for months. Attackers repackage the chain for other browsers or combine it with new bugs to extend its useful life.
Users are exposed during phases two and three, and deeply into phase four. Even after you install the patch, other devices on your network may still be behind. Containment has to work before the patch lands, not after.
Your windows of exposure
Keeping browsers up to date sounds simple. In practice, enterprises juggle dependencies, compliance reviews, and scheduled deployment windows. Consumers dismiss update prompts during meetings. The result is a set of predictable gaps that attackers plan around.
Pre-patch (hours to weeks). The exploit is active and no fix exists. Every browser on the internet is vulnerable. Vendors often go silent while they investigate, leaving attackers with free rein across the exposed user base.
Patched, not applied (7 to 30 days). IT teams test for compatibility, schedule rollouts, and juggle reboots. Meanwhile attackers reverse-engineer the patch and build mass exploit kits. Once a fix is public, the race accelerates dramatically.
Long-tail devices (indefinite). Shared kiosks, legacy systems, and employee-owned machines linger on old versions for months or years. Attackers keep exploiting them long after the headlines fade.
Updates on hold. Teams sometimes freeze updates because of bugs, compatibility issues, or end-of-quarter change windows. The freeze itself becomes a target. These gaps exist even in well-run environments, which is why isolation matters: users keep working while patches are tested, because untrusted code never reaches a local machine in the first place.
Zero-days by the numbers
A few figures put the scale in context. These are real industry numbers reported over the last two years.
browser and OS zero-days exploited in 2024
of published vulnerabilities exploited within 24 hours
average enterprise patch-deployment lag
The gap between "patch available" and "patch deployed" is where most of the damage happens. The Verizon Data Breach Investigations Report finds that attackers exploit published vulnerabilities within a day of release more than half the time, while most enterprises need two full weeks to roll out updates safely. That's an unwinnable race if patching is the only defense you trust.
Recent incidents that shaped the playbook
It's tempting to treat zero-days as rare lightning strikes. The reality is a constant background drumbeat. A few recent examples show the pattern.
Chrome CVE-2023-2033. A type-confusion bug in V8, exploited through malicious ad networks. The payload achieved remote code execution without user interaction. Google confirmed active exploitation days before a patch was available.
Firefox CVE-2024-29902. Used in a two-week spear-phishing campaign against NGOs. The chain escaped the browser sandbox and deployed persistent spyware on Windows endpoints before anyone flagged the incident.
Safari WebKit CVE-2024-43817. Targeted iOS users through iMessage links. The payload installed surveillance software with no user action required. Apple shipped an emergency fix, and attackers pivoted to unpatched macOS devices for months.
Chrome CVE-2025-1023. Embedded in fraudulent customer-support portals that asked users to click "Start Remote Help". Enterprises took five days to roll out the patch. That window was long enough to compromise several high-value targets across finance and healthcare.
The common threads are obvious once you see them: browser-based delivery, rapid weaponization, and a defender community that's always a step behind. For a broader look at how sessions get hijacked once the exploit lands, see our session hijacking protection guide.
Why patching isn't enough
Even flawless patching leaves gaps. Modern browsers depend on extensions, system libraries, user configurations, and OS-level components. Any weak link keeps the door open.
Extensions. A compromised or malicious extension bypasses browser patches entirely by injecting scripts into every page. The QuickTranslate incident in 2025 affected four million users whose browsers were all fully updated.
Misconfigured policies. Enterprises that disable site isolation or split tunneling for legacy apps create openings. Zero-days often exploit the configuration shortcut rather than a bug in the browser itself.
Privilege escalation. Browser exploits routinely chain with OS-level bugs. A patched browser still loses when the underlying kernel or graphics driver is vulnerable, which is the default state for most desktops.
Human delay. Patches require reboots, users postpone to avoid losing work, and attackers time their campaigns for exactly that moment. Isolation doesn't replace patching. It buys time. When the browser session lives in a disposable cloud container, an unpatched vulnerability detonates there and evaporates when the session ends. You can roll out updates on a sane schedule instead of reacting in panic.
What actually defends you
Every team thinks they're protected because they have the standard controls. Here's how the common defenses actually perform against a genuine zero-day.
| Defense | Pre-patch zero-day | Exploit kits post-disclosure |
|---|---|---|
| Antivirus / EDR signatures | No | Partial |
| Patch management | No | Yes (if timely) |
| URL reputation filters | Partial | Partial |
| Site isolation (local) | Partial | Partial |
| Tor Browser | No | No |
| Browser.lol (cloud isolation) | Yes | Yes |
Cloud isolation is the only row that works on day zero. The others depend on knowing what to look for, which by definition isn't possible for a zero-day. A disposable remote browser doesn't need a signature or a patch; the exploit runs inside an environment you'll throw away in minutes.
The practical pattern is simple. High-risk browsing (phishing triage, vendor onboarding, threat research, reviewing suspicious invoices) routes through an isolated session that discards itself after use. Routine browsing stays local, behind the normal layers of patching and reputation filtering. Isolation and patching aren't alternatives, they're the two halves of the same posture.
Contain the unknown, then patch
Zero-days aren't going away. The rate is increasing year on year and the delivery path keeps getting cleaner. Any team that treats patching as the primary defense is betting everything on vendors moving faster than attackers, and that bet has been losing for a decade.
The strategic move is to invert the order. Contain first, patch second. Run the risky traffic through a session you can delete, let patches ship on a sane cadence, and zero-days stop being existential threats. They become incidents: small, bounded, and handled without waking anyone up at 3 a.m.
Ready to unlock desktop power on any device?
Try Browser.lol free and experience true mobile productivity.
Start Your Desktop BrowserNo downloads required • Works on any device
