Monday, July 09, 2007

"Zero-day" bugs live a long time.

Malicious hackers are always on the prowl for zero-day bugs, that is, bugs that are not yet publicly known. They can exploit them in many ways, knowing that they have not been patched (the vendor may not even know about them), firewalls and anti-virus software are unlikely to catch them, and companies and individual users have not yet been warned to take precautions against them.

An article in COMPUTERWORLD reports on a talk about zero-days by Justine Aitel, CEO of Immunity, at the SyScan '07 security conference.

The average zero-day bug has a lifespan of 348 days before it is discovered or patched, and some vulnerabilities live on for much longer...

Immunity, which buys but does not disclose zero-day bugs, keeps tabs on how long the bugs it buys last before they are made public or patched. While the average bug has a lifespan of 348 days, the shortest-lived bugs are made public in 99 days. Those with the longest lifespan remain undetected for 1,080 days, or nearly three years, Aitel said.

"Bugs die when they go public, and they die when they get patched," she said...

"Always assume everything has holes. It's the truth: it does."

Back when viruses mostly propagated by sharing of floppy disks, you could keep your computer reasonably safe by loading only floppies from trusted sources (and virus-scanning those) and updating your antivirus software every few months. No longer. The most vicious malware is likely to arrive with no advance notice whatsoever and no opportunity to prepare a specific defense. You get zero days of warning.

Labels: ,


Comment by Blogger Jim Horning:

A friend who works in an anti-malware company just told me that in the last couple of years they have gone from seeing 100 new viruses a month to seeing 2,000 new viruses per day. It's hard to keep up.

11:57 PM  

Post a Comment