% of exploits that are "zero-day" ones

Discussion in 'other security issues & news' started by Joeythedude, Sep 19, 2009.

Thread Status:
Not open for further replies.
  1. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Zero-day exploits get a lot of attention when they "hit".

    Naturally enough :)

    But are there any statistics on how often they occur ?
    I think I read they average about 1-2 a year ?

    Any thoughts
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Like the term "White Listing," Zero-day" is a useless description anymore, for it means whatever anyone wants it to mean.

    Zero-Day Malware Attacks You Can't Block
    http://www.pcworld.com/article/129020/zeroday_malware_attacks_you_cant_block.html
    Zero-day virus
    http://en.wikipedia.org/wiki/Zero-day_virus
    ----
    rich
     
  3. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    I was under the impression the all malware is at it`s release date a 0 day exploit.

    Whether it is discovered by anti-malware writers or a normal user through infection first, it still has to be released into the wild, then found, still a 0 day exploit.

    Just seem`s some make more news then others depending on their target\payload.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Good point. So, now there is another variable in the description of zero-day!

    Another good point, and I'll add that the assumption often is that if the exploit is unpatched and not yet in AV databases, the infection is automatic. From the pcworld.com link I cited above:

    Well, maybe it doesn't happen! Every 0-day exploit I've seen downloads/installs a malicious executable file. All blocked at this point by Software Restriction Policies.

    At some point they all write to a System folder, blocked at this point if the user is running in a Limited User Account.

    Two means of prevention, both provided within the Operating System. No extra security products necessary.

    So, the 0-day threat so-called may not be such a threat afterall, depending on the circumstances. Some recent examples that serve up a malicious executable:

    0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks
    2009-07-06
    http://isc.sans.org/diary.html?storyid=6733

    YA0D (Yet Another 0-Day) in Adobe Flash player
    2009-07-22
    http://isc.sans.org/diary.html?storyid=6847

    This one was not titled 0-day but it went upatched for a while:

    Malicious swf files?
    2008-05-27
    http://isc.sans.org/diary.html?storyid=4468
    I've never seen any, but they might be difficult to compile since not all exploits that might fit the description are labeled as such. You could probably compile your own by searching for that term.

    ----
    rich
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    0-day = exploitable bug in code that has yet to be patched, hence the name "zero day." A 0-day exploit does not have to be malware.

    All exploitable software bugs are "0-day" when first discovered.
     
Loading...
Thread Status:
Not open for further replies.