Zero-day attacks are meaner, more rampant than we ever thought

Computer attacks that target undisclosed vulnerabilities are more common and last longer than many security researchers previously thought. The finding comes from a new study that tracked the number and duration of so-called zero-day exploits over three years.

The typical zero-day attack, by definition, exploits software flaws before they are publicly disclosed. It lasts on average 312 days, with some lasting as long as two and a half years, according to the study by researchers from antivirus provider Symantec. Of the 18 zero-day attacks the researchers found between 2008 and 2011, 11 of them previously went undetected. Recent revelations that the Stuxnet malware that sabotaged Iranian nuclear facilities relied on five zero days already underscored the threat posed by such attacks. But the researchers said their findings suggest the menace may be even greater.

"Zero-day attacks are difficult to prevent because they exploit unknown vulnerabilities, for which there are no patches and no anti-virus or intrusion-detection signatures," they wrote. "It seems that, as long as software will have bugs and the development of exploits for new vulnerabilities will be a profitable activity, we will be exposed to zero-day attacks. In fact, 60 percent of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought—perhaps more than twice as many."