14 DAY TRIAL // From 2014 to 2015, the number of zero-day vulnerabilities sky-rocketed from 24 to 54, showing a rising trend of zero-day brokerage that's been fueling the criminal underground.
A zero-day is a security flaw that exists in a product without the vendor's knowledge, actively exploited in attacks. Once the vulnerability becomes public or is patched, the zero-day ceases to exist.
In cyber-security and its shady hacking underground, zero-day vulnerabilities are the Holy Grail. Security vendors strive to find them to gain glory while hackers try to unearth new ones to use with their illegal campaigns.
The total number of zero-days grew by 125 percent in 2015
In Symantec's year-in-review report for 2015, the cyber-security vendor observed a rise of 125 percent in zero-days during the past year, compared to the previous period. Symantec estimates that it takes companies around seven to eight days to mitigate such dangers.
"Given the value of these vulnerabilities, it’s not surprising that a market has evolved to meet demand. In fact, at the rate that zero-day vulnerabilities are being discovered, they may become a commodity product," Symantec noted.
The company highlights that most of these zero-days were uncovered in Flash, with four of the top five most exploited zero-days belonging to Adobe's much-maligned product.
Flash vulnerabilities accounted for 17 percent of all zero-days
In fact, of the total of 54 zero-days, ten belonged to Flash, for a 17 percent stake. Last year's most exploited zero-days was CVE-2015-0313, a use-after-free vulnerability in Adobe Flash Player, used in 81 percent of all targeted attacks.
Besides Flash, other technologies which had notable zero-days discovered in 2015 include Microsoft Windows (6 zero-days), Android (4), Internet Explorer (2), and Microsoft Office (2).
Outside of closed-source software, open-source solutions were also targeted, with Symantec detecting eleven zero-days used in live attacks, usually in e-commerce and CMS platforms, networking protocols, or technologies such as OpenSSL and Samba.
For more details, check out the 81-page 2016 Internet Security Threat Report, which is available for download from Symantec's website.
