This is a question I get all the time from clients and students. I tell them a "zero day attack" is when a vulnerability is discovered in an application or an OS and is unknown to the vendor or general public and a patch has yet to be released to fix it. The term zero day indicates basically that the attack could happen anytime because the system does not have a patch to fix the vulnerability.
Zero day attacks are the worst situation for security folks because we just do not know when said attack will happen. We are left in kinda of a limbo wondering if and when the attack might happen to our systems.
Here is a current example:
1) Microsoft has a known vulnerability in IE 8 for certain OS's. The vulnerability may allow an attacker to create a cross site scripting (XSS) attack to gain access to a system. Microsoft has not issued a patch but is investigating the issue. link:
2) Vuepen Security has confirmed that this is a vulnerability. link:
3) Metasploit also has included this vulnerablity and the actual code to exploit it in there latest release of Metasploit as well. link:
(By the way if you are not familiar with Metasploit check out my video. link)
The only good news is that we can use Metasploit to test if our systems are vulernable to the attack, the bad news is hackers can also use Metasploit to attack a system. This is what makes a zero day attack so dangerous.
Only time will tell on a zero day attack.