Security firm Symantec published the findings, which showed that the typical zero-day attack, an exploit for a vulnerability for which there is no patch available, lasted about 10 months on average before being discovered.
Through data retrieved from some 11 million computers running Symantec anti-virus software, researchers studied 18 zero-day cases that occurred between 2008 and 2010. They found that the majority of these attacks, 11, involved vulnerabilities that had never before been publicly known. Their report is expected to be presented Thursday at the Association for Computing Machinery's Computer and Communications Security conference in Raleigh, N.C.
The authors of the report – Leyla Bilge and Tudor Dumitras, senior research engineers at Symantec Research Labs – said that while zero-day attacks are not major threats to most users, they are serious for the organizations being targeted.
“It seems that as long as software will have bugs and the development of exploits for new vulnerabilities will be a proﬁtable activity, we will be exposed to zero-day attacks," the report said. "In fact, 60 percent of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought – perhaps more than twice as many.”
The report also addressed an ongoing security industry debate on whether researchers – assuming they want to – should disclose vulnerabilities and exploits to the public prior to affected software vendors being notified.
The authors concluded that the trade-off for full disclosure to the public, where software makers may be incited to patch issues more quickly, is unclear when weighed against the significant increase in attacks that could result upon full disclosure.
The report said more comprehensive data on zero-day attacks is needed before a decision can be made.
Brian Laing, director of U.S. marketing and products at AhnLab, a South Korea-based security solutions provider, told SCMagazine.com on Wednesday that measures taken to notify the public of exploits should match the scope of the threat. Laing leads development initiatives of zero-day detection products at AhnLab.
“I think it depends on the vulnerability itself,” he said. “If it's an issue where a configuration change won't help and it needs a software fix, I'm all for giving the vendor time to make that patch.”
Pierluigi Stella, CTO of Houston-based managed security services provider Network Box, said in an email to SCMagazine.com on Wednesday that attackers have no interest in coming clean about an exploit.
For them, the exploit is already “old news,” Stella said.
“Revealing the issue to the public, or not, does not change the fact that professional hackers are doing all this research on their own, are already fully aware of the vulnerabilities, are possibly exploiting them and aren't telling anybody,” Stella said. “Because the longer their findings stay secret the more money they can make.”