"Zero-day" bugs live a long time.
An article in COMPUTERWORLD reports on a talk about zero-days by Justine Aitel, CEO of Immunity, at the SyScan '07 security conference.
Back when viruses mostly propagated by sharing of floppy disks, you could keep your computer reasonably safe by loading only floppies from trusted sources (and virus-scanning those) and updating your antivirus software every few months. No longer. The most vicious malware is likely to arrive with no advance notice whatsoever and no opportunity to prepare a specific defense. You get zero days of warning.The average zero-day bug has a lifespan of 348 days before it is discovered or patched, and some vulnerabilities live on for much longer...
Immunity, which buys but does not disclose zero-day bugs, keeps tabs on how long the bugs it buys last before they are made public or patched. While the average bug has a lifespan of 348 days, the shortest-lived bugs are made public in 99 days. Those with the longest lifespan remain undetected for 1,080 days, or nearly three years, Aitel said.
"Bugs die when they go public, and they die when they get patched," she said..."Always assume everything has holes. It's the truth: it does."
1 Comments:
A friend who works in an anti-malware company just told me that in the last couple of years they have gone from seeing 100 new viruses a month to seeing 2,000 new viruses per day. It's hard to keep up.
Post a Comment
<< NIASAWHIWB Home