Software Integrity Blog


Report finds criminal use of zero days doubled in 2015

The latest edition of the Symantec Internet Security Threat Report finds that the use of zero days, software flaws previously unknown to the software vendor, doubled in 2015 over the previous year. That’s a 125 percent increase from the year before. Or, as Symantec phrased it on their web site, that’s a new zero-day vulnerability found every week (on average) in 2015.

The numbers aren’t huge, but significant. In 2015, 54 new zero day vulnerabilities were deployed by criminal hackers. That is an increase from 24 the year before and 23 the year before that. Look back over the past 10 years and the next-highest total was 15 in 2007.

The report found that four of the five most-used zero-day vulnerabilities last year were in Adobe Flash software.

“Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers,” Adobe told the Reuters News Service. “With regards to zero-days, we’ve been able to expedite the patching process to just days.”

The report found that “exploit kits,” often sold in underground forums, allow more people to spread zero days for use in financial service Trojans and ransomware.


More by this author