Zero-day exploits strike fear into the heart of computer security pros. An active attack, unrecognized by antimalware software and without a ready vendor patch, is harder to deal with than your run-of-the mill security bug. You can't just run a scanner, slap on a patch, high-five your friends, and call it a day.
With zero-days, you wonder what mitigation you can apply while waiting for the vendor to release a patch. Worse, some mitigations do more damage than the exploit itself. That's why most customers don't do anything. They remain unprotected until the vendor pushes the patch.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
Fortunately, while zero-days get lots of press, they aren't a huge factor. The vast majority of successful attacks and exploits arrive after the vendor has released the patch. In most cases, zero-day attacks are fairly targeted, so even the exploits "in the wild" don't spread worldwide. For example, the Stuxnet worm contained a few zero-days, but it was meant to take down specific targets, even if thousands of copies later leaked out all across the globe.
Zero-days may occur rarely, but they're high-risk, so you need to have a plan for them. Just how frequent are zero-days, whether in the wild or not? Initially, based on reading I've done over the years, I thought the number would be quite low -- perhaps five to seven zero-days per year. But a recently released NSS Labs white paper convinced me that I've underestimated.
NSS Labs: More zeros than you think
Entitled "The Known Unknowns," the white paper analyzed data from two professional firms that offer zero-days to customers on a very expensive subscription basis. The author writes, "On any given day over the past 3 years, two vulnerability purchase programs alone gave their privileged subscribers early access to at least 58 vulnerabilities, on average, in Microsoft, Apple, Oracle or Adobe products."