Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers' 'Zero-Day' Exploits Stay Secret For Ten Months On Average

Posted by Soulskill on from the for-sufficiently-large-values-of-zero dept.

Sparrowvsrevolution writes "Maybe instead of zero-day vulnerabilities, we should call them -312-day vulnerabilities. That's how long it takes, on average, for software vendors to become aware of new vulnerabilities in their software after hackers begin to exploit them, according to a study presented by Symantec at an Association of Computing Machinery conference in Raleigh, NC this week. The researchers used data collected from 11 million PCs to correlate a catalogue of zero-day attacks with malware signatures taken from those machines. Using that retrospective analysis, they found 18 attacks that represented zero-day exploits between February 2008 and March of 2010, seven of which weren't previously known to have been zero-days. And most disturbingly, they found that those attacks continued more than 10 months on average – up to 2.5 years in some cases – before the security community became aware of them. 'In fact, 60% of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought — perhaps more than twice as many,' the researchers write."

4 of 74 comments (clear)

  1. 5 in use right now by Anonymous Coward · · Score: 5, Interesting

    Given a conservative estimate that a new 0-day exploit is found every 2 months, there are at least 5 unpatched exploits in the wild at any given moment.

  2. Responsible disclosure by Anonymous Coward · · Score: 5, Insightful

    And yet time and time again, we have people arguing that the responsible thing is to let the vendor sit on the bug report for months, while their customers get infected.

    This is exactly my reasons for arguing full disclosure. You need to inform the customers which software to block from the net by any means possible (which is then up to the customers' IT department) immediately, without caring about the reputation of the vendor. Hiding the bug report is only going to help anyone, if you know for sure that nobody else has found the same hole, and that would require labeling yourself the smartest person on the planet. The safe thing to do is to assume that somebody else is smarter than you, and probably already knows about the hole.

  3. Re:Actually, by CastrTroy · · Score: 5, Insightful

    I'm still waiting for them to fix the "hide file extensions for known file types" exploit. It's the first thing I change anytime I install Windows. And as far as I know, it can't be changed system wide, only per each user account. When executable files can specify their own icon, for instance, look like an image, or a Word document, this is very dangerous behaviour. What purpose does hiding the file extension have? Other then hiding "scary technical things" from dumb users (if they don't have the information, they'll remain stupid) I don't see any reason why this should exist. And it definitely shouldn't be turned on by default if they insist on the feature even existing.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  4. Re:Actually, by Anonymous Coward · · Score: 5, Informative

    Even showing the extension you are vulnerable.
    Using the unicode character U+202e one can write from right to left and hide the real extension: for example the executable "SexyL[U+202e]gpj.exe" will be shown as "SexyLexe.jpg" by the filemanager!

    On linux you can create such a file with
    echo > $'SexyL\342\200\256gpj.exe'