Zero-Day Exploits Doubled in 2015, Symantec Finds

In its annual Internet Security Threat Report, Symantec reveals that attackers exploited 54 zero-day vulnerabilities in 2015, more than doubling the previous year's total.

zero-day flaws

The number of zero-day vulnerabilities discovered in 2015 jumped to 54, more than double the previous year's record-setting 24 such vulnerabilities, Symantec stated in its annual Internet Security Threat Report (ISTR) released on April 12.

The dramatic increase in zero-day vulnerabilities—defined by Symantec as software security flaws that are exploited before being patched by their vendors—is likely driven by the demand for such weaknesses. National intelligence agencies, law enforcement agencies and the military all have needs for compromising systems to gather data and evidence, or attack systems and networks.

"The trend is reflecting the professional hunters out there, looking for zero-days for fun and profit," Kevin Haley, director of security response at Symantec, told eWEEK. "Obviously, nation-states continue to look for them and buy them, and there are people who are making money selling them."

From 2006 on to 2012, the company documented only 8 to 15 zero-day vulnerabilities each year. The following two years saw approximately two dozen zero-day vulnerabilities annually, according to previous Symantec reports. The 2015 total is a 125 percent increase over the 24 zero-day vulnerabilities seen in 2014.

It is "not really a surprise that we should see them grow, but it is a record year, far higher than we have been seeing since we started tracking them in 2006," Haley said.

Zero-day vulnerabilities, however, account for a very small portion of the security weaknesses exploited in system and network compromises. Phishing attacks, known vulnerabilities and drive-by downloads paired with malware pose far more common problems for organizations and individuals.

The number of malware variants—versions of malicious programs with unique hashes, often created through automated packers and "fully undetectable" services—climbed for the third straight year, according to Symantec's data. The number of new malware variants, as classified by Symantec's technology, jumped to 431 million in 2015, from 317 million in 2014 and 252 million in 2013. However, the number of variants is on par with previous years, such as the 430 million variants in 2012.

Underscoring that Symantec's ISTR seems to be all about the big numbers, the company also reported that 429 million records were exposed in 2015, a jump of 23 percent. Yet, more companies—85 percent more, according to the firm—decided not to report the number of records compromised in a breach.

"They are not sharing those details," Haley said. "More companies are not being transparent."

Symantec argued that if those companies issued estimates of the number of records lost, the total compromised record count would exceed a half billion in 2015.

"The fact that companies are increasingly choosing to hold back critical details after a breach is a disturbing trend," the company said in the report. "Transparency is critical to security. While numerous data sharing initiatives are underway in the security industry, helping all of us improve our security products and postures, some of this data is getting harder to collect."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...