46% of zero-day vulnerabilities exploited in Microsoft products
Targeted attacks on companies and government agencies are no longer a curiosity. Almost every day we learn about the malicious activity or leakage of data, as well as read about cyber espionage, which in turn accused the Russian, the Chinese hackers.
However, not all attackers manage to infiltrate a corporate network and steal important data. The most difficult cases are applied before anyone unknown vulnerabilities – zero-day vulnerabilities.
Exploits zero-day vulnerabilities are quite expensive and are not used in each attack. Moreover, in the media, the term is so generalized that many journalists call any new vulnerabilities – zero-day vulnerability.
According to the research project Zero-day vulnerability tracking project, zero-day vulnerabilities were used in 44 known hacker campaigns aimed at the corporate and public sectors in various countries. The most ambitious campaign known as Operation Aurora, which was used in the course of 8 different zero-day vulnerabilities. Of hackers suffered such well-known IT-giants like Google, Yahoo, Symantec, Juniper Networks, Adobe.
According to data published in the study, from 2006 to 2016, cyber criminals have successfully used 334 zero-day vulnerability in targeted attacks and mass. The largest number of zero-day (46% or 153 vulnerability) has been found in the Microsoft products that are not surprising since it is Microsoft’s products are a common choice in the public and corporate sectors.
The report showed that manufacturers have been paying more attention to actively exploited vulnerabilities. The average time between vulnerability disclosure and the release of security patches was reduced from 25 days in 2012 to 1 day in 2016. Mean time to zero-day was 17 days. This is mainly due to the policy of disclosure of information security companies and manufacturers. During the whole reporting period, information about almost half of the vulnerabilities (45.51%) was published on the day of release of the patch.
On average vulnerability disclosed to third parties, were eliminated within 32 days.