Hackers' 'Zero-Day' Exploits Stay Secret For Ten Months On Average

Sparrowvsrevolution writes "Maybe instead of zero-day vulnerabilities, we should call them -312-day vulnerabilities. That's how long it takes, on average, for software vendors to become aware of new vulnerabilities in their software after hackers begin to exploit them, according to a study presented by Symantec at an Association of Computing Machinery conference in Raleigh, NC this week. The researchers used data collected from 11 million PCs to correlate a catalogue of zero-day attacks with malware signatures taken from those machines. Using that retrospective analysis, they found 18 attacks that represented zero-day exploits between February 2008 and March of 2010, seven of which weren't previously known to have been zero-days. And most disturbingly, they found that those attacks continued more than 10 months on average – up to 2.5 years in some cases – before the security community became aware of them. 'In fact, 60% of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought — perhaps more than twice as many,' the researchers write."

5 in use right now

Given a conservative estimate that a new 0-day exploit is found every 2 months, there are at least 5 unpatched exploits in the wild at any given moment.

Re:5 in use right now

[Zocalo]

That seems awfully conservative to me. Since there is next to no incentive for a Black Hat to reveal any 0-day they are currently exploiting - bug bounty programmes being perhaps the one exception - then there is the possibility that any given exploit that is discovered might have already been found and be in the process of being exploited as an unknown 0-day by someone else. Taken to the extreme, and that could mean that every published and exploitable bug has been utilised a 0-day at some point, even when the person officially credited with discovery has used a responsible disclosure approach and a vendor patch has been available before the details are maed public.

I'd be very surprised if the number of 0-day exploits in active use, whether by criminals, scammers or government agencies, around the entire world at any given time was in single figures, and the figure even peaking into the three figure range doesn't seem like it's too unrealistic, either.

Free software vs. proprietary?

Somebody should do a comparison.

Re:Free software vs. proprietary?

[LinuxIsGarbage]

In that case there's no excuse because you can fix it yourself.

Re:Free software vs. proprietary?

[Lennie]

I'm just glad when a software vendor releases a fix, including security, it only takes up to a couple of days until my system gets it updates.

Everything else just means: you need to have fait in the original programmer and the team that handles the vulnerability reports.

Open source or not.

I believe open source works better though, I've never seen that someone reported a security bug was delayed for months on end.

Other then something like this: "Last year (2011) there was a period of several months when the CentOS project did not issue any security advisories or updates for CentOS 6. Many CentOS users got frustrated and worried about their system security"

Which just means people have the choice to replace CentOS with an other distribution and mostly life happily ever after.

With a closed system you can't, there is only one vendor of Windows, right ?

Re:Free software vs. proprietary?

[Errtu76]

Perhaps it's your nick that triggers those responses.

Re:Free software vs. proprietary?

And why does his nickname matter when it comes to a bug report? A bug is a bug, no matter if Hitler himself reports it. This is just another example of software authors finding ways to avoid providing support; you do realise it's that exact attitude that resulted in "BOFH syndrome" and "UNIX beardo" stereotypes, yes?

Re:Free software vs. proprietary?

Unfortunately his nickname identifies him as a troll. Not a lot of people then care if he's a troll with a valid bug report.

Scary

[FirephoxRising]

Wow they are scary numbers. I don't suppose we should be surprised, they want to make use of their exploit and/or they've seen how people are treated if they do point out vulnerabilities.

Not news

[HarryatRock]

From Wikipedia zero day exploit

For example in 2008 Microsoft confirmed a vulnerability in Internet Explorer, which affected some versions that were released in 2001.[4] The date the vulnerability was first found by an attacker is not known; however, the vulnerability window in this case could have been up to 7 years.

Looks like we've known about this for quite some time

Make laws to punish flaws

[djscoumoune]

If software companies were punished for the security holes (or when they leak their databases) then it would become cheaper for them to hire people to fix flaws in house. After all it's easier to find flaws when you have access to the code in the first place. It's not normal that more exploits are found than fixed. It means that more hackers are employed that there should.

presented by Symantec, certainly unbiaised

[Herve5]

Brought to you by Symantec, the company that makes a living of (exclusively) selling remedies to security holes.
So, certainly neutral approach.

Also, Don't Forget SHAME

When you release something as open source, your reputation is on the line as everybody can inspect your coding. That in turn forces developers to be much more diligent.

Commercial software, on the other hand, is often a stinking heap of nasty and un-reviewed code. Managers regard it as a waste of resources to do proper code reviews (and consequential cleanups), because "that does not contribute to the development of new features which can be sold for $$$". And because most managers are proud to be ignorant dumbasses.

Re:teach these facts in elementary school

[fuzzyfuzzyfungus]

You'll also die if you don't use Facebook; but such is life.

Assuming only one person found the exploit

[concealment]

Most designations like "zero-day" assume that hacking is like academia and usually only one person discovers a vulnerability at a time. More likely, many people stumble across it in the course of doing other things, and trade it as a favor to other IT professionals or hackers. Those in turn trade it down the line until it gets to someone who uses it for evil.

I bet if you surveyed IT professionals, you will find that 90% of us have circumvented security in order to make necessary repairs or alterations at some time or another. It's a nobody's fault type situation; often you're waiting for a system to be upgraded, or integrated, or working your way around older hardware or software. The shortest distance between two points is through the security wall.

Mass malware infections of [Windows] machines

[dgharmon]

"One aspect of zero-day exploits use that's made them tough to track and count has been how closely targeted they are. Unlike the mass malware infections that typically infect many thousands of machines using known vulnerabilties, the majority of the exploits in Symantec's study only affected a handful of machines--All but four of the exploits infected less than 100 targets, and four were found on only one computer.

What OS do these machines run on?

Weren't they all

[dsvick]

...seven of which weren't previously known to have been zero-days

Aren't all attacks and exploits zero-days, at least on the first day?

Just wait 2 more days

[vortoxin]

If they just wait 2 more days (per the sumary) it can be a PI day vulnerability at 314 days.

Then everyone would take security seriously protecting their pi. I mean even the Amish have Pie safes.

Responsible disclosure

And yet time and time again, we have people arguing that the responsible thing is to let the vendor sit on the bug report for months, while their customers get infected.

This is exactly my reasons for arguing full disclosure. You need to inform the customers which software to block from the net by any means possible (which is then up to the customers' IT department) immediately, without caring about the reputation of the vendor. Hiding the bug report is only going to help anyone, if you know for sure that nobody else has found the same hole, and that would require labeling yourself the smartest person on the planet. The safe thing to do is to assume that somebody else is smarter than you, and probably already knows about the hole.

Re:teach these facts in elementary school

[Gr8Apes]

I'd rather see "die....Facebook". sigh.....

Re:Actually,

[CastrTroy]

I'm still waiting for them to fix the "hide file extensions for known file types" exploit. It's the first thing I change anytime I install Windows. And as far as I know, it can't be changed system wide, only per each user account. When executable files can specify their own icon, for instance, look like an image, or a Word document, this is very dangerous behaviour. What purpose does hiding the file extension have? Other then hiding "scary technical things" from dumb users (if they don't have the information, they'll remain stupid) I don't see any reason why this should exist. And it definitely shouldn't be turned on by default if they insist on the feature even existing.

Re:Systematic Security Measures

[Gr8Apes]

+ Managed Security Monitoring: Monitoring a firewall for suspicious traffic requires a lot of speciality knowledge and bespoke analysis scripts to filter out innocuous traffic and leave the suspicious stuff to human experts for investigation. This specialty function is probably best done by specialized companies who do that as their core business. Of course, the firewall must be a completely separate, independent device sitting between the potential targets of an attack and the general internet. A Raspberry PI-class of computer could probably do the job for home users.

Actually, your firewall and IDS should be separate, ideally, and the IDS is on a special port on a switch configured to receive all traffic on your LAN. That way it can monitor all traffic for unusual activity. HTTP traffic to a web server - no problem. HTTP traffic to an FTP server from an internal workstation? Red Flag.

Re:Actually,

Even showing the extension you are vulnerable.
Using the unicode character U+202e one can write from right to left and hide the real extension: for example the executable "SexyL[U+202e]gpj.exe" will be shown as "SexyLexe.jpg" by the filemanager!

On linux you can create such a file with
echo > $'SexyL\342\200\256gpj.exe'

Re:Actually,

[MattskEE]

Even showing the extension you are vulnerable.
Using the unicode character U+202e one can write from right to left and hide the real extension: for example the executable "SexyL[U+202e]gpj.exe" will be shown as "SexyLexe.jpg" by the filemanager!

On linux you can create such a file with
echo > $'SexyL\342\200\256gpj.exe'

Rather than simply modding you up I decided to try this out, and it works! Which is kind of creepy.

Not Surprising

[NinjaTekNeeks]

In the US, shooting the messenger is the standard in vulnerability disclosure. As such, in the past 5 years most researchers just give up on responsible disclosure, I mean, why bother?

The good deed you are doing will be met with adverse reaction by the non-technical public, the press and law enforcement. That's a risk researchers just cannot risk, better to just use your research for your own purposes; commercial, nefarious or otherwise, than risk spending 1-10 years in federal pound me in the ass lockup. Hell, even the government doesn't give a shit about responsible disclosure, look at Stuxnet, we know it had 0 days and we believe it was government backed, where was the responsible disclosure there? Government leaving millions at risk and no one holds them accountable?

Re:Actually,

[CastrTroy]

To create a file in Windows, I used python to create a file with the proper name. The following code worked

fname='SexyL' + unichr(8238) + 'gpj.exe'
f = open(fname,'w')
f.close()

It created a file in my python directory. It shows up as you describe. I was unaware that you could change the text direction in the middle of a line. This kind of thing could probably be used all over the place. If placed on a web server Internet Explorer will actually download the file "properly" with the correct unicode file name. Depending where you look at the file name, and whether it supports unicode in that specific interface it will either show up right or wrong. The IE download window shows the name with .exe on the end. But explorer shows it with .jpg at the end. Firefox just replaces the unicode character with an underscore, and Chrome replaces it a hyphen. IEs behavior, while correct, could cause a lot of security problems.