Zero-day Attack - Vulnerability Window

Vulnerability Window

Zero-day attacks occur during the vulnerability window that exists in the time between when a vulnerability is first exploited and when software developers start to develop and publish a counter to that threat.

For viruses, Trojans and other zero-day attacks, the vulnerability window follows this time line:

  • The developer creates software containing an unknown vulnerability
  • The attacker finds the vulnerability before the developer does
  • The attacker writes and distributes an exploit while the vulnerability is not known to the developer
  • The developer becomes aware of the vulnerability and starts developing a fix.

Measuring the length of the vulnerability window can be difficult, as attackers do not announce when the vulnerability was first discovered. Developers may not want to distribute data for commercial or security reasons. Developers also may not know if the vulnerability is being exploited when they fix it, and so may not record the vulnerability as a zero-day attack. By one estimate, "hackers exploit security vulnerabilities in software for 10 months on average before details of the holes surface in public," i.e., the average vulnerability window of a zero-day exploit is about 10 months. However, it can be easily shown that this window can be several years long. For example in 2008 Microsoft confirmed a vulnerability in Internet Explorer, which affected some versions that were released in 2001. The date the vulnerability was first found by an attacker is not known; however, the vulnerability window in this case could have been up to 7 years.

Read more about this topic:  Zero-day Attack

Famous quotes containing the word window:

    Without stirring abroad, One can know the whole world; Without looking out of the window One can see the way of heaven. The further one goes The less one knows.
    Lao-Tzu (6th century B.C.)