The Symantec Internet Threat Study indicates that in 2014, there were 24 Zero day vulnerabilities as compared to 23 in 2013.
Zero-day vulnerabilities are vulnerabilities against which the vendor has not released a patch. The absence of a patch presents a threat to organizations and consumers alike, because in many cases this type of threat can evade purely signature-based detection techniques used by Anti malware software until a patch is released.
The zero day vulnerabilities if found by the fraudsters, will be exploited by them more easily than otherwise. Some times the vendors come to know of the vulnerabilities but are unable to release a patch and for fear of reputation and business loss remain silent and not announce the presence of unpatched vulnerabilities. This makes them complicit to the frauds that occur and should make them legally liable if law takes its normal view on such “negligence”.
When a Cyber Insurer has provided a liability insurance, he is also at a great disadvantage when Zero day vulnerabilities are exploited since security professionals may find it difficult to counter threats targeting such vulnerabilities.
The Study lists the 24 Zero day vulnerabilities found in 2014 and it is observed that 16 of them relate to Adobe. It includes vulnerabilities in Adobe Flash player as well as Reader. Microsoft accounts for 7 and the other is on Linux.
The study notes that their data base has over 62300 vendors of whom 62400 recorded vulnerabilities have been found. It also states that the top 5 vulnerabilities were exploited for a combined period of 295 days during the year highlighting the risks that we are facing.