Hackers' 'Zero-Day' Exploits Stay Secret For Ten Months On Average

Sparrowvsrevolution writes "Maybe instead of zero-day vulnerabilities, we should call them -312-day vulnerabilities. That's how long it takes, on average, for software vendors to become aware of new vulnerabilities in their software after hackers begin to exploit them, according to a study presented by Symantec at an Association of Computing Machinery conference in Raleigh, NC this week. The researchers used data collected from 11 million PCs to correlate a catalogue of zero-day attacks with malware signatures taken from those machines. Using that retrospective analysis, they found 18 attacks that represented zero-day exploits between February 2008 and March of 2010, seven of which weren't previously known to have been zero-days. And most disturbingly, they found that those attacks continued more than 10 months on average – up to 2.5 years in some cases – before the security community became aware of them. 'In fact, 60% of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought — perhaps more than twice as many,' the researchers write."

Not news

[HarryatRock]

From Wikipedia zero day exploit

For example in 2008 Microsoft confirmed a vulnerability in Internet Explorer, which affected some versions that were released in 2001.[4] The date the vulnerability was first found by an attacker is not known; however, the vulnerability window in this case could have been up to 7 years.

Looks like we've known about this for quite some time

Re:Free software vs. proprietary?

[Errtu76]

Perhaps it's your nick that triggers those responses.

Responsible disclosure

And yet time and time again, we have people arguing that the responsible thing is to let the vendor sit on the bug report for months, while their customers get infected.

This is exactly my reasons for arguing full disclosure. You need to inform the customers which software to block from the net by any means possible (which is then up to the customers' IT department) immediately, without caring about the reputation of the vendor. Hiding the bug report is only going to help anyone, if you know for sure that nobody else has found the same hole, and that would require labeling yourself the smartest person on the planet. The safe thing to do is to assume that somebody else is smarter than you, and probably already knows about the hole.

Re:Actually,

[CastrTroy]

I'm still waiting for them to fix the "hide file extensions for known file types" exploit. It's the first thing I change anytime I install Windows. And as far as I know, it can't be changed system wide, only per each user account. When executable files can specify their own icon, for instance, look like an image, or a Word document, this is very dangerous behaviour. What purpose does hiding the file extension have? Other then hiding "scary technical things" from dumb users (if they don't have the information, they'll remain stupid) I don't see any reason why this should exist. And it definitely shouldn't be turned on by default if they insist on the feature even existing.