Re: how often do 0-days REALLY happen?

From: Michal Zalewski (lcamtufat_private)
Date: Tue Jan 08 2002 - 17:13:08 PST

  • Next message: Mike Lewinski: "Attacking every host in the path?"

    On Tue, 8 Jan 2002, leon wrote:
    
    > Just figured I would throw that out there and see how everyone responds
    > because I was thinking about it on the walk home (hey, shoot me, it is
    > cold in nyc, gotta do something to keep from freezing).
    
    The truth is that 0-days are very "expensive". If you got one, you
    probably do not want to "waste it" by compromising few thousand random
    hosts on the net, because you risk that your 0-day will be detected,
    analyzed, published - and the vulnerability fixed. It very rarely happens
    that exploits leak to 'masses' before the vulnerability itself is
    announced or fixed. As far as I know, zero-disclosure security research on
    brand new bugs is pretty limited - and results usually do not leak to
    script kiddies. So in general, due to my best knowledge, 0-day compromises
    are reported rarely, I expect this to happen maybe once a year for Unix
    systems, at best.
    
    How often 0-days are used in targeted attacks - this is a completely
    different question. First of all, this will be probably performed by
    people who are experienced and skilled - authors themselves or their
    trusted friends. Thus, detectability is significantly lower.  Then, even
    if detected, such incident will be very likely covered up. So you can only
    guess.
    
    -- 
    _____________________________________________________
    Michal Zalewski [lcamtufat_private] [security]
    [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
    =-=> Did you know that clones never use mirrors? <=-=
              http://lcamtuf.coredump.cx/photo/
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 21:44:54 PST