A Zero-Day Exploit is an attack that exploits security holes before the developer, or anyone else, knows about the vulnerability.
The security issue only becomes known after the attack occurs.
"Zero Day" just simply means the developer/software company had zero days to prepare for the attack or to patch the holes.
Malware like viruses, trojans, worms and all types of exploitative code can be run within the program. Some of the worst attacks allow computers to be taken over as zombies, to be used later by a controlling system. Many zombies are used for DDoS attacks, or to send spam.
Software like Microsoft Office and older versions of Internet Explorer have been hit multiple times by zero-day attacks especially because they connect to the Internet and can access multiple system files.
Because no one knows of the issue before the attack, zero day attacks are almost impossible to prevent. One effective method of limiting attacks is buffer overflows, which are used in all modern oeprating sytems.
Additionally, "whitelisting" is a method that is used to prevent zero-day attacks by only allowing known applications to access your system. New code is therefore not allowed access. This becomes ineffective when known apps have holes.