Re: how often do 0-days REALLY happen?

[Michal Zalewski <lcamtuf () dione ids pl>]

On Tue, 8 Jan 2002, leon wrote:

> Just figured I would throw that out there and see how everyone responds
> because I was thinking about it on the walk home (hey, shoot me, it is
> cold in nyc, gotta do something to keep from freezing).

The truth is that 0-days are very "expensive". If you got one, you
probably do not want to "waste it" by compromising few thousand random
hosts on the net, because you risk that your 0-day will be detected,
analyzed, published - and the vulnerability fixed. It very rarely happens
that exploits leak to 'masses' before the vulnerability itself is
announced or fixed. As far as I know, zero-disclosure security research on
brand new bugs is pretty limited - and results usually do not leak to
script kiddies. So in general, due to my best knowledge, 0-day compromises
are reported rarely, I expect this to happen maybe once a year for Unix
systems, at best.

How often 0-days are used in targeted attacks - this is a completely
different question. First of all, this will be probably performed by
people who are experienced and skilled - authors themselves or their
trusted friends. Thus, detectability is significantly lower.  Then, even
if detected, such incident will be very likely covered up. So you can only
guess.

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com