Few problems can present as much of a constant headache for software developers as zero-day vulnerabilities – coding flaws that hackers exploit before companies are aware the vulnerability exists. According to a recent report by Symantec researchers, the average duration of a zero-day attack is 312 days, and some discovered in the study persisted for as long as two and a half years.
In data collected from 11 million PCs running Symantec antivirus software, researchers discovered 18 different zero-day vulnerabilities used in attacks. Of these, only seven had previously been identified as having been exploited, leading researchers to speculate that the occurrence of such attacks is higher than generally believed.
“In fact, 60% of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought—perhaps more than twice as many,” researchers wrote, adding that the average duration of an attack may be even longer than their statistics suggest, as well.
The zero-day attacks identified were largely focused on Microsoft and Adobe software, with 16 out of 18 affecting programs – including Microsoft Word, Adobe Reader and Flash – by one of the two companies. Forbes noted that zero-day attacks often have more insidious espionage goals than common hacker schemes such as credit card data theft.
Many of the attacks found were carefully targeted, with all but four affecting fewer than 100 machines. In four cases, the exploit only affected a single computer. Once an exploit is publicly announced by researchers, it is generally targeted at an exponential rate before the developer is able to fix it, the report said.
Catching vulnerabilities before day zero
Given the longevity of such attacks, many experts are increasingly advocating for more attention to security flaws during the development process. A recent Dark Reading article highlighted the cost benefits of embedding secure development life cycle (SDLC) principles into coders’ standard practices, noting that high-pressure development environments and poor training present an impediment to this approach.
In addition to pointing out a report that found only 51 percent of organizations perform software security testing on their code, the site spoke with experts who advocated taking precautions.
"In many cases, convenience and speed wins…But coding for security, with the discipline to test all components for secure programming takes time," Stu Sjouwerman, founder of security training firm KnowBe4, told Dark Reading.
By using practices such as code analysis, developers may be able to catch and mitigate some threats. However, the threat of zero-day vulnerabilities is constant, and coders must stay vigilant, the site warned.