Secret vulnerabilities in computer programs are especially prized by criminal gangs, law enforcement and spies because software vendors have not been warned and so cannot publish fixes.
In 2015, 54 such holes came to light and were deployed by hackers, according to a report published on Monday by the largest security software vendor, Symantec Corp. That is up dramatically from 24 the year before and 23 the year before that; the next-highest total over the past 10 years was 15 in 2007.
Symantec’s total of “zero-day” or unknown vulnerabilities includes both flaws that were discovered because they were used by top-flight hackers who left tracks and those that were revealed to the public at the same time as the software maker.
In 2015, electronic files named “Hacking Team” were dumped on the Internet, including six zero-days that criminals quickly made use of.
Thousands of other flaws were identified as usual last year by vendors, outside researchers, and government agencies. The vendors develop and issue patches, either announcing the flaws or pointing to them by virtue of the fixes.
Since criminals and others immediately take advantage of flaws to reach into unfixed machines, users must patch rapidly and completely or face being hacked.
Though most attacks happen because of inadequate patching, the rapid spread of new flaws through “exploit kits” sold in underground forums has allowed zero-days to be obtained by more people, including those installing ransomware and programs for stealing financial logins.
Four of the five most-used zero-day vulnerabilities last year were in Adobe Systems Inc’s Flash software, which can be used as a standalone program or a plug-in for various Web browsers, not all of which automatically update with Flash patches. Symantec said it expected Flash to become less popular as platforms stop supporting it, making it less of a bonanza for hackers.
Adobe said it had improved its security response. “Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers,” the company said via email.
“With regards to zero-days, we’ve been able to expedite the patching process to just days.”