Hackers' 'Zero-Day' Exploits Stay Secret For Ten Months On Average

Sparrowvsrevolution writes "Maybe instead of zero-day vulnerabilities, we should call them -312-day vulnerabilities. That's how long it takes, on average, for software vendors to become aware of new vulnerabilities in their software after hackers begin to exploit them, according to a study presented by Symantec at an Association of Computing Machinery conference in Raleigh, NC this week. The researchers used data collected from 11 million PCs to correlate a catalogue of zero-day attacks with malware signatures taken from those machines. Using that retrospective analysis, they found 18 attacks that represented zero-day exploits between February 2008 and March of 2010, seven of which weren't previously known to have been zero-days. And most disturbingly, they found that those attacks continued more than 10 months on average – up to 2.5 years in some cases – before the security community became aware of them. 'In fact, 60% of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought — perhaps more than twice as many,' the researchers write."

Re:Free software vs. proprietary?

[LinuxIsGarbage]

Well that's the response I get with bug reports.

Not news

[HarryatRock]

From Wikipedia zero day exploit

For example in 2008 Microsoft confirmed a vulnerability in Internet Explorer, which affected some versions that were released in 2001.[4] The date the vulnerability was first found by an attacker is not known; however, the vulnerability window in this case could have been up to 7 years.

Looks like we've known about this for quite some time

Re:Free software vs. proprietary?

[Errtu76]

Perhaps it's your nick that triggers those responses.

Re:5 in use right now

[Zocalo]

That seems awfully conservative to me. Since there is next to no incentive for a Black Hat to reveal any 0-day they are currently exploiting - bug bounty programmes being perhaps the one exception - then there is the possibility that any given exploit that is discovered might have already been found and be in the process of being exploited as an unknown 0-day by someone else. Taken to the extreme, and that could mean that every published and exploitable bug has been utilised a 0-day at some point, even when the person officially credited with discovery has used a responsible disclosure approach and a vendor patch has been available before the details are maed public.

I'd be very surprised if the number of 0-day exploits in active use, whether by criminals, scammers or government agencies, around the entire world at any given time was in single figures, and the figure even peaking into the three figure range doesn't seem like it's too unrealistic, either.

Re:Free software vs. proprietary?

And why does his nickname matter when it comes to a bug report? A bug is a bug, no matter if Hitler himself reports it. This is just another example of software authors finding ways to avoid providing support; you do realise it's that exact attitude that resulted in "BOFH syndrome" and "UNIX beardo" stereotypes, yes?

Assuming only one person found the exploit

[concealment]

Most designations like "zero-day" assume that hacking is like academia and usually only one person discovers a vulnerability at a time. More likely, many people stumble across it in the course of doing other things, and trade it as a favor to other IT professionals or hackers. Those in turn trade it down the line until it gets to someone who uses it for evil.

I bet if you surveyed IT professionals, you will find that 90% of us have circumvented security in order to make necessary repairs or alterations at some time or another. It's a nobody's fault type situation; often you're waiting for a system to be upgraded, or integrated, or working your way around older hardware or software. The shortest distance between two points is through the security wall.

Re:Free software vs. proprietary?

Unfortunately his nickname identifies him as a troll. Not a lot of people then care if he's a troll with a valid bug report.

Responsible disclosure

And yet time and time again, we have people arguing that the responsible thing is to let the vendor sit on the bug report for months, while their customers get infected.

This is exactly my reasons for arguing full disclosure. You need to inform the customers which software to block from the net by any means possible (which is then up to the customers' IT department) immediately, without caring about the reputation of the vendor. Hiding the bug report is only going to help anyone, if you know for sure that nobody else has found the same hole, and that would require labeling yourself the smartest person on the planet. The safe thing to do is to assume that somebody else is smarter than you, and probably already knows about the hole.

Re:Actually,

[CastrTroy]

I'm still waiting for them to fix the "hide file extensions for known file types" exploit. It's the first thing I change anytime I install Windows. And as far as I know, it can't be changed system wide, only per each user account. When executable files can specify their own icon, for instance, look like an image, or a Word document, this is very dangerous behaviour. What purpose does hiding the file extension have? Other then hiding "scary technical things" from dumb users (if they don't have the information, they'll remain stupid) I don't see any reason why this should exist. And it definitely shouldn't be turned on by default if they insist on the feature even existing.