On Tue, 8 Jan 2002, leon wrote: > Just figured I would throw that out there and see how everyone responds > because I was thinking about it on the walk home (hey, shoot me, it is > cold in nyc, gotta do something to keep from freezing). The truth is that 0-days are very "expensive". If you got one, you probably do not want to "waste it" by compromising few thousand random hosts on the net, because you risk that your 0-day will be detected, analyzed, published - and the vulnerability fixed. It very rarely happens that exploits leak to 'masses' before the vulnerability itself is announced or fixed. As far as I know, zero-disclosure security research on brand new bugs is pretty limited - and results usually do not leak to script kiddies. So in general, due to my best knowledge, 0-day compromises are reported rarely, I expect this to happen maybe once a year for Unix systems, at best. How often 0-days are used in targeted attacks - this is a completely different question. First of all, this will be probably performed by people who are experienced and skilled - authors themselves or their trusted friends. Thus, detectability is significantly lower. Then, even if detected, such incident will be very likely covered up. So you can only guess. -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 21:44:54 PST