0-day exploits more than double as attackers prevail in security arms race

Enlarge / The number of zero days showed their sharpest rise ever in 2015, reaching a record 54. (credit: Symantec)

The number of attacks that exploited previously unknown software vulnerabilities more than doubled in 2015 as hackers raced against security defenders to find effective ways to infect end users with malware, according to a recently released report.

The number of “zero-day” exploits—a term that was coined because affected software developers have zero days to release a patch that keeps users protected—reached an unprecedented 54, according to researchers at security firm Symantec. That number compared with 24 in 2014, 23 in 2013, and 14 in 2012. The increase was partly caused by the breach of Italy-based zero day broker Hacking Team, which spilled six closely guarded zero days into the public domain. It also came as Adobe and other developers significantly reduced the time it took to release patches that plugged zero-day holes.

“It is difficult to defend against new and unknown vulnerabilities, particularly zero-day vulnerabilities for which there may be no patch, and attackers are trying hard to exploit them faster than vendors can roll out patches,” Symantec researchers wrote in the company’s annual Internet Security Threat Report. The report went on to say that the Angler exploit kit, a package sold in Internet crime forums, was able to quickly integrate the growing number of zero days into its arsenal.

Read 3 remaining paragraphs | Comments

Technology Lab – Ars Technica