Hackers' 'Zero-Day' Exploits Stay Secret For Ten Months On Average 74
Sparrowvsrevolution writes "Maybe instead of zero-day vulnerabilities, we should call them -312-day vulnerabilities. That's how long it takes, on average, for software vendors to become aware of new vulnerabilities in their software after hackers begin to exploit them, according to a study presented by Symantec at an Association of Computing Machinery conference in Raleigh, NC this week. The researchers used data collected from 11 million PCs to correlate a catalogue of zero-day attacks with malware signatures taken from those machines. Using that retrospective analysis, they found 18 attacks that represented zero-day exploits between February 2008 and March of 2010, seven of which weren't previously known to have been zero-days. And most disturbingly, they found that those attacks continued more than 10 months on average – up to 2.5 years in some cases – before the security community became aware of them. 'In fact, 60% of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought — perhaps more than twice as many,' the researchers write."
Re:Free software vs. proprietary? (Score:5, Informative)
I'm just glad when a software vendor releases a fix, including security, it only takes up to a couple of days until my system gets it updates.
Everything else just means: you need to have fait in the original programmer and the team that handles the vulnerability reports.
Open source or not.
I believe open source works better though, I've never seen that someone reported a security bug was delayed for months on end.
Other then something like this: "Last year (2011) there was a period of several months when the CentOS project did not issue any security advisories or updates for CentOS 6. Many CentOS users got frustrated and worried about their system security"
Which just means people have the choice to replace CentOS with an other distribution and mostly life happily ever after.
With a closed system you can't, there is only one vendor of Windows, right ?
Also, Don't Forget SHAME (Score:4, Informative)
When you release something as open source, your reputation is on the line as everybody can inspect your coding. That in turn forces developers to be much more diligent.
Commercial software, on the other hand, is often a stinking heap of nasty and un-reviewed code. Managers regard it as a waste of resources to do proper code reviews (and consequential cleanups), because "that does not contribute to the development of new features which can be sold for $$$". And because most managers are proud to be ignorant dumbasses.
Re:Actually, (Score:5, Informative)
Even showing the extension you are vulnerable.
Using the unicode character U+202e one can write from right to left and hide the real extension: for example the executable "SexyL[U+202e]gpj.exe" will be shown as "SexyLexe.jpg" by the filemanager!
On linux you can create such a file with
echo > $'SexyL\342\200\256gpj.exe'
Re:Actually, (Score:4, Informative)
Even showing the extension you are vulnerable.
Using the unicode character U+202e one can write from right to left and hide the real extension: for example the executable "SexyL[U+202e]gpj.exe" will be shown as "SexyLexe.jpg" by the filemanager!
On linux you can create such a file with
echo > $'SexyL\342\200\256gpj.exe'
Rather than simply modding you up I decided to try this out, and it works! Which is kind of creepy.