Zero-day vulnerabilities and exploits dominate headlines and most heated information security discussions.
Researchers at Symantec’s tried to assess how active attackers use 0day-vulnerability and what is the average “shelf life” of this vulnerability, before it becomes known to the public and vendors, which releases a patch.
Practical study of this kind can not, for obvious reasons, because 0day-vulnerability by definition are unknown. Malware is not detected by antivirus software. However, experts Symatec developed a method of automatic recognition of 0day-attacks after the fact, according to the statistics of real binary file downloaded by 11 million computers around the world in February 2008 to March 2011 year. They conducted an empirical study, some interesting results. Presentation was held two days ago at a conference Association of Computing Machinery.
Analysis of the collected statistics revealed 18 vulnerabilities that are exploited to the publication of the information. Of these, 11 vulnerabilities were unique, that is previously unknown. Lifecycle 0day-vulnerabilities ranging from 19 days to 30 months. Arithmetic average – 312 days, the median average – about 240 days.
After the publication of 0day-vulnerability of attacks using this vulnerability increases many times, sometimes 100 thousand times (five orders of magnitude). At the same time, a patch to fix the vulnerability often comes later than the publication of information about it. The following graph shows the increase in the number of attacks after the publication of 0day-vulnerability.
Since 0day-exploited vulnerabilities on average 312 days prior to the publication of information, the more accurate name for them would be “312day vulnerability.”
“Given the rather long life 0day-vulnerability becomes clear their high price on the black market”, – says Symantec.