Zero-day vulnerability is a futuristic sounding term – you can almost picture it as the name of a science fiction novel – but it presents a great threat to organizations across all industries. These vulnerabilities are holes in software which lack a patch or fix, meaning they can be exploited by clever cyber criminals to steal your information.

Back in 2014, Anthem, a major US health insurer, suffered what was then the biggest healthcare breach ever. This attack was conducted by a group known as “Black Vine,” who used zero-day vulnerabilities in Internet Explorer to carry out the attack.

Recently, RAND corporation, a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, released a study analyzing the threat nature of these zero-day vulnerabilities.

Here’s what they found.


To conduct this study, RAND analyzed a set of 200 zero-day vulnerabilities from 2002 to 2016 – with around 40% of these vulnerabilities unknown to the public. For this reason, this dataset is incredibly unique and valuable. Simply put, no one has ever been able to obtain access to and track data like this for such a long period of time. And there are some pretty significant takeaways.

To begin with, this study found that the exploits attackers use work for nearly seven years before they finally lose their effectiveness. Furthermore, the study notes that, “Only 25 percent of vulnerabilities do not survive to 1.51 years, and only 25 percent live more than 9.5 years.”

So the vulnerabilities are there, but how long does it take for attackers to develop an exploit that can capitalize on this weakness? As it turns out, the median time is only 22 days, a relatively short amount of time. The study also found that 5.7% of zero-day vulnerabilities have been, “publicly discovered and disclosed by another entity.”

What this means for you

The results of this study are meant to provide a snapshot into what has been a historically muddled issue. Though software companies often provide the patches to fix these vulnerabilities, users may not choose to upgrade them. There’s also the issue of vendors just failing to notify their users of these weaknesses, leaving many organizations unknowingly open to attack.

The only way for software providers to solve this issue is to assume they are compromised from the beginning and, rather than patch one by one, improve the overall architecture of their systems. That means rethinking every aspect of how they build the security of their products – a costly and time consuming process.

Along with this, there’s a debate within the cybersecurity sector over whether the US government should let vendors know about these weaknesses or not. While this debate plays out, your organization remains at risk.

BAI Security’s Compromise Assessment helps root out zero-day code that might be lying in wait in your system. By deploying highly specialized, forensic software on all endpoints within your organization, we are able to uncover all potential hidden threats. Zero-day vulnerabilities can open the door to attackers; we’ll help you slam it shut.