Recently, there has been increased interest in the way in which security vulnerability information is managed and traded. Vulnerabilities that are known only to privileged closed groups, such as cyber criminals, brokers, and governments, pose a real and present risk to all who use the affected software. With the use of empirical data, NSS has determined that on any given day over the past three years, privileged groups have had access to at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe. With specialized companies offering zero-day vulnerabilities for subscription fees that are well within the budget of a determined attacker, and with half a dozen boutique exploit providers jointly having the capacity to offer more than 100 exploits per year, privileged groups have the ability to compromise all vulnerable systems without the public ever being aware of the threats. Read on to learn more about the "known unknowns."
December 5, 2013