Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers' 'Zero-Day' Exploits Stay Secret For Ten Months On Average

Posted by Soulskill on from the for-sufficiently-large-values-of-zero dept.

Sparrowvsrevolution writes "Maybe instead of zero-day vulnerabilities, we should call them -312-day vulnerabilities. That's how long it takes, on average, for software vendors to become aware of new vulnerabilities in their software after hackers begin to exploit them, according to a study presented by Symantec at an Association of Computing Machinery conference in Raleigh, NC this week. The researchers used data collected from 11 million PCs to correlate a catalogue of zero-day attacks with malware signatures taken from those machines. Using that retrospective analysis, they found 18 attacks that represented zero-day exploits between February 2008 and March of 2010, seven of which weren't previously known to have been zero-days. And most disturbingly, they found that those attacks continued more than 10 months on average – up to 2.5 years in some cases – before the security community became aware of them. 'In fact, 60% of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought — perhaps more than twice as many,' the researchers write."

8 of 74 comments (clear)

  1. 5 in use right now by Anonymous Coward · · Score: 5, Interesting

    Given a conservative estimate that a new 0-day exploit is found every 2 months, there are at least 5 unpatched exploits in the wild at any given moment.

  2. Not news by HarryatRock · · Score: 4, Insightful

    From Wikipedia zero day exploit

    For example in 2008 Microsoft confirmed a vulnerability in Internet Explorer, which affected some versions that were released in 2001.[4] The date the vulnerability was first found by an attacker is not known; however, the vulnerability window in this case could have been up to 7 years.

    Looks like we've known about this for quite some time

    --
    nec sorte nec fato
  3. Re:Free software vs. proprietary? by Lennie · · Score: 4, Informative

    I'm just glad when a software vendor releases a fix, including security, it only takes up to a couple of days until my system gets it updates.

    Everything else just means: you need to have fait in the original programmer and the team that handles the vulnerability reports.

    Open source or not.

    I believe open source works better though, I've never seen that someone reported a security bug was delayed for months on end.

    Other then something like this: "Last year (2011) there was a period of several months when the CentOS project did not issue any security advisories or updates for CentOS 6. Many CentOS users got frustrated and worried about their system security"

    Which just means people have the choice to replace CentOS with an other distribution and mostly life happily ever after.

    With a closed system you can't, there is only one vendor of Windows, right ?

    --
    New things are always on the horizon
  4. Re:Free software vs. proprietary? by Errtu76 · · Score: 4, Insightful

    Perhaps it's your nick that triggers those responses.

  5. Also, Don't Forget SHAME by Anonymous Coward · · Score: 4, Informative

    When you release something as open source, your reputation is on the line as everybody can inspect your coding. That in turn forces developers to be much more diligent.

    Commercial software, on the other hand, is often a stinking heap of nasty and un-reviewed code. Managers regard it as a waste of resources to do proper code reviews (and consequential cleanups), because "that does not contribute to the development of new features which can be sold for $$$". And because most managers are proud to be ignorant dumbasses.

  6. Responsible disclosure by Anonymous Coward · · Score: 5, Insightful

    And yet time and time again, we have people arguing that the responsible thing is to let the vendor sit on the bug report for months, while their customers get infected.

    This is exactly my reasons for arguing full disclosure. You need to inform the customers which software to block from the net by any means possible (which is then up to the customers' IT department) immediately, without caring about the reputation of the vendor. Hiding the bug report is only going to help anyone, if you know for sure that nobody else has found the same hole, and that would require labeling yourself the smartest person on the planet. The safe thing to do is to assume that somebody else is smarter than you, and probably already knows about the hole.

  7. Re:Actually, by CastrTroy · · Score: 5, Insightful

    I'm still waiting for them to fix the "hide file extensions for known file types" exploit. It's the first thing I change anytime I install Windows. And as far as I know, it can't be changed system wide, only per each user account. When executable files can specify their own icon, for instance, look like an image, or a Word document, this is very dangerous behaviour. What purpose does hiding the file extension have? Other then hiding "scary technical things" from dumb users (if they don't have the information, they'll remain stupid) I don't see any reason why this should exist. And it definitely shouldn't be turned on by default if they insist on the feature even existing.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  8. Re:Actually, by Anonymous Coward · · Score: 5, Informative

    Even showing the extension you are vulnerable.
    Using the unicode character U+202e one can write from right to left and hide the real extension: for example the executable "SexyL[U+202e]gpj.exe" will be shown as "SexyLexe.jpg" by the filemanager!

    On linux you can create such a file with
    echo > $'SexyL\342\200\256gpj.exe'