SANS: Zero-Day Exploits on The Decline


For years, the SANS Institute and others in the security industry have been warning about a rise in zero-day attacks. For 2007, the message is actually a little bit different, with SANS reporting that zero-day attacks are actually on the decline.

In its 2007 Top 20 Vulnerabilities listing, SANS noted that "several zero day attacks were recorded in 2007 although that number has dropped from the previous year."

The listing, which does not rank vulnerabilities in order of severity, actually placed placed zero-day vulnerabilities at No. 18, which is actually the last spot.

During a conference call discussing the results, SANS Top 20 Project Manager Rohit Dhamankar explained that though zero-day attacks are 18th on the list, it doesn't imply that the associated risks are less serious.

"Zero-day was last not because it was least important but it had already captured in other categories," Dhamankar "By putting it in slot 18, it in no way implies that it is less important."

Nevertheless, Dhamankar, who is also senior manager of security research at TippingPoint, confirmed the report's findings that zero-day attacks are on the decline.

Ed Skoudis, who serves as course director for SANS Incident Handling and Hacker Exploits, explained during the conference call why he thinks zero-day is on the decline.

"One of the reasons is that bad guys don't have to use them (zero day)," said Skoudis, who also founded information security consultancy Intelguardians.

For example, he said, the Storm worm propagates itself though users clicking on an e-mail link, and does not require a zero-day exploit to function.

"When simple techniques work, there is no need to unfurl zero-days," Skoudis said. "Attackers can just save them for more targeted attacks."

Another reason why zero-way attacks may well also be on the decline, according to Skoudis, is due to a change in the definition of what actually constitutes a real zero-day exploit.

"We've seen a phenomenon that we have Microsoft 'Patch Tuesday' and that day is followed by 'Zero-Day Wednesday' when exploits come out," Skoudis said.

Exploits released on the Wednesday following "Patch Tuesday" are no longer considered to be zero-day, Skoudis said. He argued that zero-day Wednesday was never properly named as it should have been referred to as "1-Day Wednesday" since the exploits would be one day old.

Dhamankar, meanwhile, said that nomenclature aside, the industry has seen a real decline in zero-days.

This article was first published on To read the full article, click here.