Security holes called as zero-day vulnerabilities can lie dormant for up to 10 years, a new study has suggested. Which means that attackers have plenty of time to generate sophisticated exploits for a wide range of software.Security holes remain 'undiscovered for years', suggests study

The study conducted by the research organisation Rand considered 200 security flaws. Surprisingly, 40% of these flaws are not yet publicly known.

The Wikileaks documents suggest the CIA has gathered a portfolio of zero-day vulnerabilities.

The study reveals:

  • 25% of vulnerabilities are publicly known within one and a half years
  • 25% of vulnerabilities remains undiscovered for more than nine and a half years
  • Publicly known vulnerabilities are frequently disclosed with a patch
  • Once a vulnerability is detected, an exploit can be developed within an average span of 22 days

Lillian Ablon, the lead author of the study, said that “determining whether to stockpile or publicly disclose a zero-day vulnerability is the game of trade-offs especially for the government”.

Ms. Ablon said: “Viewing it from national governments perspective if some opponent knows about the vulnerability, then publicly revealing the flaw could strengthen one’s own defence by compelling the affected vendor to apply a patch and secure itself against the opponent using the vulnerability against them.”

Stuxnet, which is one of the high profile pieces malware in recent years, was dependent on four Microsoft zero-day exploits to square up Iran’s nuclear programme. Wikileaks reports that last year CIA has built up an arsenal of 24 Android zero-day vulnerabilities. Later on, the Google said that the Android and Chrome users need protection from different exploits, thanks to security updates and patches.

Art Swift, president of the PRPL Foundation, which is the leading open-source software, told the BBC: “The disappointing thing in these findings is that in the government’s initiatives to protect US citizens from cyber-attacks, is actually exposing them to cybercriminals and nation-state attackers badly.

These flaws and encouraging vendor backdoors actually weaken the entire system.”