How widespread are successful zero-day exploits / attacks compared to all other successful malware attacks that are not considered zero-day attacks? I just like to get a rough idea like 0.001% or 0.8% or .... of all successful attacks. I'm aware that there is no official statistics published anywhere, but I'd like to get the opinion from some security experts in this forum.
You are too optimistic, Exploits are more and more used especially fileless ones using their own embedded Powershell/Python who escape traditional AVs, since they don't even needs the powershell of the target. They are sophisticated and so more stealthy they can infect a network/system and stay dormant unless the attackers decide to activate it (nation-state exploit particularly). However like any malware they need an entry point, if the user cover it properly, the risk to be hit are low.
As a home user, you're just not going to get hit with a 0-day exploit while browsing with a secure browser like chrome or firefox, malware is just not going to appear out of thin air. The infections will come from you running something, or not keeping your system and software up to date (by you, I mean everyone reading)
It is also necessary to formalize a few definitions. Technically speaking, an exploit is malware that attacks a system or app vulnerability. A 0-day malware is not by definition an exploit although it could be. A 0-day malware is one that is not being detected by any conventional security software. The majority of known vulnerabilities are never exploited due to the fact when discovered, they are privately disclosed to the vendor and immediately patched. However just because a patch is available, does not mean necessarily it is applied to the vulnerable software. What is known is that the longer in time after a vulnerability has been publicly disclosed, the more likely attackers will develop malware to exploit it. As far as trying to positively calculate the percentage of malware is exploit based, it really can't be done. This is because the primary variable it is dependent upon, unknown vulnerabilities, cannot be determined or accurately estimated. All that is known is the newer in age a piece of software is, the larger the probability of unknown vulnerabilities it will have. Finally, not all vulnerabilities are of equal severity with OS kernel vulnerabilities being the most severe. Additionally, not all vulnerabilities are easy to exploit.
Yeah, and many vulnerabilities also require a payload that would be bad anyway if ran (it's just worse with an exploit involved) Like, running an exe or a malicious office document with macros etc. That's why running in a vm or sandboxing potentially bad applications (like, if you just downloaded official skype installer from skype.com, chances are it's legit, you can even check the signature for some more security, but if you downloaded some tool from a not-so-famous site or a crack or something like that, then there are decent chances it might do something bad on your computer one way or another) is not a bad idea. Obviously, you can never be 100% sure that nothing suspicious is going on until you can see the code with your own eyes. Like those alien and ghost stories. They may be true or not, but until you see one, you can't be sure with absolute 100.00000% certainty
Or installing a compromised legitimate and trusted software with valid certificates... aka CCleaner or Linux Mint, sure, i admit it is very rare but not unseen. I also agree that the user is often responsible of being infected by clicking what they shouldn't, but I'm sure there is other more insidious way we may not be aware yet. After all, exploits get their name from abusing unknown vulnerabilities, softwares are human-made and humans makes mistakes and there is always someone to discover such flaws and make profit with them. I am a little bit in the security industry and what most researchers are doing? They all spend most of their time bug-bounty hunting and analyzing codes to find such vulnerabilities. Long time ago, i used to know a guy spending all his time bug-bounty hunting and getting cash-rewarded for it, and if the vendors dismiss his finding or don't pay enough. he just resell it in the dark net... Lol
Back in the day it was easy to exploit browsers, that's how I ended up on this forum, I wanted to learn more how to protect myself. But browsers have now become quite hard to hack, so I don't believe home users will encounter zero day exploits, like back in the days. Hackers reserve exploits mostly for hacking into companies I believe. The CCleaner attack could have been disastrous, but luckily the hackers were not interested in home user PC's. But if they wanted to they could have spread malware on millions of PC's. And if it was "zero day" malware, most AV's would have failed to spot it. That's why behavior blocking tools remain a must to me.
I came across this article that stated in 2016 there were approximately 4,000 0-day exploits discovered: https://www.cyberscoop.com/zero-day-vulns-are-rarer-and-more-expensive-than-ever/. 0-day exploits are really the ones to be concerned about and as the article noted, they are becoming rarer each year. Considering that millions of new malware are created on a yearly basis, it can be seen that exploits are a very small portion of total malware.
Yes, if you go here https://www.cvedetails.com/product/15031/Google-Chrome.html?vendor_id=1224, and open the 2018 and 2019 years and ctrl+f "71.0" you will see there were only 33 vulnerabilities found in chrome 71, can also be seen here https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=google chrome Out of those 33: 2 only worked on android and ios, respectively 4 were related to url spoofing, meaning fake sites looking legit by making their address look like "apple.com" or "paypal.com" etc. you'd only arrive on those websites from a fake link, likely one in your email, not by visiting the real sites, and many are marked as fake by various filters after some time 4 required you to open a specific file in the browser, 3 being pdf files, 1 a wpad file 2 required you to install an extension And of course, all of the remaining 21 required you to land on the exact html page that the exploit is hosted on. You won't randomly get there by browsing on the internet if you practice safe habits, that's for sure. Not to mention, many of those 21 (and that's how it usually is, not just these 21) were not serious vulnerabilities, for example, one of them requires you to search something using the omnibox (address bar) once you're on the html page where the exploit is, and then the url will change but the page will stay the same, essentially tricking the user that the page was changed (which is what you'd expect when you type something into your address bar and press enter, you expect to be led to another page). Being exploited requires you to have a reason to actually do that on that page, that's a big difference from being exploited just by visiting the page (this is the exploit in question https://bugs.chromium.org/p/chromium/issues/detail?id=879965 , CVE-2018-20067). And that's what most of those vulnerabilities are, they require you to fulfill a specific condition in order for the exploits to do what they're supposed to (in the last example, that would be you thinking you're on the legit page but you're actually still on the exploited page which now looks like the legit page you were expecting)
