Zero-DAY Vulnerability Statistics

Abstract
Terminology
Scope
Period
Data sources
Key findings
Famous campaigns highlights
Vulnerability distribution by vendors
Vulnerability distribution by software categories
Vulnerability distribution by software
Remediation period
Brief review by years
- 2006
- 2007
- 2008
- 2009
- 2010
- 2011
- 2012
- 2013
- 2014
- 2015
- 2016
Final word

Abstract

Security is not a process. It's a state until you get pwned (c)

This research covers the most dangerous kind of vulnerabilities - the ones that are unknown to anybody except the malicious actor. Once they are used in a properly engineered attack there is no way to stop the hack. For the past decade we have witnessed sophisticated crimes, perfectly planned, organized and executed by the real Kung Fu masters of keyboard, mouse and espionage.

During our research we have gathered and analyzed publicly available information about almost 100 APT campaigns and reports on more than 500 vulnerabilities, suspected to be exploited in the wild both in targeted and mass attacks. As data sources we have used vulnerability databases, reports from companies and researchers in the field, news articles, official statements, etc. For comparison purposes we have chosen yearly reports from major IT security market players, who publish zero-day vulnerability statistics, such as Symantec, Trustwave, Flexera/Secunia, and FireEye.

So here we are, to tell you everything we know about zero-days.

Sincerely yours,
Valerii Marchuk
Cybersecurity Help team =)

Terminology

In this report we will operate the terms, described below. Despite some of them are widely used, we still feel the need to describe them to avoid any possible misunderstandings or double meanings.

Vulnerability - is an error in software code, which can be used with security impact, e.g. can influence confidentiality, integrity or availability of the application.

Zero-day candidate - is a vulnerability, which can potentially be used in targeted attacks, however there is not enough evidence to confirm its actual exploitation before the official security fix release.

Zero-day vulnerability - is a vulnerability, which has been exploited in real-world attacks before vendor was able to issue a security fix.

Software category - category of applications, which is used to describe the basic functionality of the particular software.

Client/Desktop applications - software for end-users used primarily on user desktops, e.g. browsers, video players, text processors, etc.

Server applications - software used on server systems as services or daemons, e.g. web servers, database engines, DNS servers, etc.

Web application - software used to serve web content with help of web server, e.g. content management systems, forum and blogging software, e-commerce, etc.

Hardware solutions - mostly firmware used on a variety of hardware appliances.

Scope

The scope of this research was to identify, classify and analyze all publicly known zero-day vulnerabilities for the past 11 years. During our research we have investigated reports on over 500 vulnerabilities, suspected to be exploited in the wild both in targeted and mass attacks. All vulnerabilities were treated as zero-day candidates and then transferred into zero-day vulnerabilities once evidence of their exploitation in the wild before official patch release was confirmed.

Period

Information, provided in this research, is based on data collected and analyzed between 2006 and 2016.

Data Sources

For this research we have used OSINT (Open Source Intelligence) approach, gathering and analyzing publicly available data sources, such as vulnerability databases, reports from companies and researchers in the field, news articles, official statements, etc. For comparison purposes we have chosen yearly reports from major IT security market players, who publish zero-day vulnerability statistics, such as Symantec, Trustwave, Flexera/Secunia, and FireEye.

Key findings

The research covers 11 years from 2006 until 2016 and identifies 334 zero-day vulnerabilities used in various attacks worldwide. Zero-day vulnerabilities are usually reported on yearly basis by several IT security companies, however the reported numbers almost always differ (even from one yearly report to the other for the same period in reports of the same company). On the graph below you can see the number of zero-day vulnerabilities reported by each IT security company. In case of Flexera/Secunia we used numbers available in the latest reports for the particular year.

The huge problem with the statistics above is that security reports usually do not reveal much information about the zero-day vulnerabilities in their reports except their total quantity. We hope that we were able to cover all zero-day vulnerabilities, identified by these companies.

The problematic year in question is 2015, when Symantec reported 54 zero-days. We were able to confirm 36 vulnerabilities only. The difference between numbers from OSINT research and Symantec report comes from the number of zero-days discovered in different types of software, as stated in the table below:

Source	Symantec	OSINT
ICS/SCADA systems	7	0
Adobe Flash Player	10	10
Open source software	11	4
Hacking Team exploits	6	6
Other vulnerabilities	20	16
Total	54	36

The above graph is still to be updated with new data, once they are available.

The facts

During this research we have come to interesting conclusions and deeper understanding of the nature for zero-day attacks.

The largest number of zero-day vulnerabilities was reported in Microsoft products - 46% of all zero-days. The second closes vendor is Adobe with just 18% of the "market". At the same time, the malware developers chose office applications as the most popular attack vector (73 zero-days) and operating system components (72 zero-days). The third place is taken by the number of exploits against browser-based plugins (e.g. ActiveX components, Adobe Flash player, Silverlight, etc) - 57 in total. Along with web browsers (41 zero-days) they cover 73% of all vulnerabilities used in targeted attacks.

The highest amount of zero-day vulnerabilities was discovered in Microsoft Windows operating system (18,62%). The second place is taken by Adobe Flash Player (12,31%). Third and fourth places are divided between Microsoft Office components (11,41%) and Internet Explorer (10,51%). The fifth place is taken by JustSystems Ichitaro (4,5%).

55% of all zero-day vulnerabilities were disclosed before vendor was able to issue security patch, and it took 32 days on average to fix these vulnerabilities.

The number of days to react on publicly disclosed zero-day and issue a security patch starts to lower significantly from 2015. It took 9 days on average in 2015 to issue a security patch and only 3 days in 2016, compared to 31 and 46 days in 2013 and 2014 respectively.

All attacks, disclosed in this research, were perfectly organized and financed. And we do not believe these were crowdfunding projects from Kikstarter =) The only logical conclusion is that all of the espionage campaigns were planned, financed or even executed by secret services of different countries. The latest leaks presented by the WikiLeaks project made us even more sure of that.

Famous campaigns highlights

This research has covered 44 known malicious campaigns, which leveraged zero-day vulnerabilities.

The table below contains description of all major incidents occurred within the last 11 years between 2006 and 2016.

The so-far largest espionage campaign dubbed Operation Aurora is believed to use 8 zero-day vulnerabilities during the attacks. The second and the third place by the number of zero-days belong to Stuxnet and Sykipot campaigns: 4 zero-day vulnerabilities each.

Name	Description	Vulnerabilities
AdGholas	The attacks were active since at least October 2015. To avoid detection the hackers use steganography and file whitelisting techniques.	Multiple vulnerabilities in Microsoft Internet Explorer and Edge CVE-2016-3351 Multiple vulnerabilities in Microsoft Internet Explorer CVE-2016-3298 Information disclosure in Microsoft XML Core Services CVE-2017-0022	3
Amnesty International Hong Kong site breach	The hackers compromised the website and were delivering Trojan Gh0st RAT.	Multiple vulnerabilities in Adobe Reader and Acrobat CVE-2010-2884 Remote code execution in Microsoft XML Core Services CVE-2012-1889	2
CNACOM campaign	The campaign mainly targeted Taiwanese organizations and supposedly has Chinese origin.	Two remote code execution vulnerabilities in Adobe Flash Player CVE-2015-5122 Privilege escalation in Microsoft Windows CVE-2015-0016 Multiple vulnerabilities in Microsoft Internet Explorer CVE-2016-0189	3
Council on Foreign Relations (CFR) breach	The attack was performed on 26.12.2012. Chinese hackers are suspected to deliver Trojan Gh0st RAT on victim's computers.	Remote code execution in Microsoft Internet Explorer CVE-2012-4792	1
dailymotion.com breach	The campaign seems to use Angler Exploit kit. Trend Micro dubbed the exploit “SWF_EXPLOIT.MJST”.	Multiple vulnerabilities in Adobe Flash Player CVE-2015-0313	1
DarkLeech attack campaign	The campaign dates back to 2011. The hackers used Nymaim ransomware that locks users' computers and demands $300 to free their data. During further attacks, the hackers used Reveton malware to target visitors of FireEye Security Careers Webpage.	SQL injection in Parallels Plesk Panel CVE-2012-1557	1
Department of Labor breach	The attack took place in April, 2013.	Remote code execution in Microsoft Internet Explorer CVE-2013-1347	1
Foreign Affairs Ministries breach	The attacks is believed to be performed by the threat group known as PawnStorm.	Remote code execution in Adobe Flash Player CVE-2015-7645	1
Hurricane Panda	Hurricane Panda is an attack targeting major infrastructure companies. Attack was detected in 2013 and is believed to be of Chinese origin.	Multiple vulnerabilities in Microsoft Internet Explorer CVE-2014-4123 Remote code execution in Microsoft Windows CVE-2014-4148 Privilege escalation in Microsoft Windows CVE-2014-4113	3
Ice Dagger attack	The attack is called “Ice Dagger” by Adallom security firm due to its sophistication.	Information disclosure in Microsoft Office CVE-2013-5054	1
Iranian Nuclear Facilities breach	The breach was identified in summer 2010 by VirusBlokada antivirus company from Belarus, who was called to investigate computers in Iranian nuclear facilities.	Remote code execution in Microsoft Windows CVE-2010-2568 Remote code execution in Print Spooler service in Microsoft Windows CVE-2010-2729 Hardcoded credentials in Siemens SIMATIC WinCC and PSC 7 SCADA systems CVE-2010-2772 Insecure DLL loading in SIMATIC STEP 7 and PCS 7 CVE-2012-3015	4
LadyBoyle espionage campaign	The attack was performed in 2013, named after code, found within malicious SWF file.	Two remote code execution vulnerabilities in Adobe Flash Player CVE-2013-0634	1
Luckycat attacks	The campaign has been active since at least June 2011 and linked to 90 attacks against Indian and Japan institution.	Remote code execution in Adobe Flash Player CVE-2010-3654	1
Macktruck attack	The hackers performed the operation with the help of “Hangman” malware. FireEye suspects North Korea of attack against South Korea.	Remote code execution in Hangul Word Processor CVE-2015-6585	1
MiniDuke Malware Campaign	The attacks were revealed by Kaspersky Lab and CrySys Lab in February 2013. MiniDuke is a unique ATP campaign. The hackers used new CosmicDuke or TinyBaron backdoors to target Austria, Belgium, France, Germany, Hungary, Netherlands, Spain, Ukraine, the United States, Georgia, Russia, the United Kingdom, Kazakhstan, India, Belarus, Cyprus, and Lithuania, Azerbaijan, and Greece.	Two remote code execution vulnerabilities in Adobe Acrobat and Adobe Reader CVE-2013-0641 Two remote code execution vulnerabilities in Adobe Acrobat and Adobe Reader CVE-2013-0640	2
NATO breach and the attacks against White House members	The attacks were performed by PawnStorm attackers.	Security bypass Oracle Java SE CVE-2015-4902 Remote code execution in Oracle Java SE CVE-2015-2590	2
Nobel Peace Prize ceremony beach	The group behind this attack was also behind Sunshop. The attack server located in Taiwan spread malicious HTML file as Trojan.Malscript and the downloaded threat as Backdoor.Belmoo.	Remote code execution in Mozilla Firefox CVE-2010-3765 Use-after-free when parsing CSS in Internet Explorer CVE-2010-3962	2
Operation "Red October" (Rocra)	The malware attack was first detected in 2007 and was being used to target mainly diplomatic and government agencies in Eastern Europe, former USSR members, countries in Central Asia, Western Europe and North America, some African countries, such as Kenya, Uganda, Ethiopia, Chad, The Sudan and Eritrea. Kaspersky Lab discovered the operation program in October 2012 and uncovered it in January 2013.	Remote code execution in MSCOMCTL.OCX ActiveX control in Microsoft Office CVE-2012-0158 Multiple vulnerabilities in Microsoft Office CVE-2009-3129	2
Operation "Russian Doll"	The operation refers to the Russian Hacker group APT28. The hackers are suspected to target German parliament, French television network TV5Monde, the White House, and NATO.	Multiple vulnerabilities in Microsoft Windows CVE-2015-1701	1
Operation Aurora	Operation Aurora is a series of cyber attacks conducted since mid-2009. Such name was given by Dmitri Alperovitch of McAfee. The operation was discovered by Google in January, 2010 and is considered to have Chinese origin. The hackers targeted not only Google but also Yahoo, Symantec, Juniper Networks, Adobe, Northrop Grumman и Dow Chemical. Symantec identified the group behind the operation "Elderwood", Dell Secureworks - "Beijing Group".	Remote code execution in Adobe Acrobat and Adobe Reader CVE-2009-4324 Remote code execution in Microsoft Internet Explorer CVE-2010-0249 Remote code execution in Microsoft Internet Explorer CVE-2010-0806 Remote code execution in Adobe Flash Player CVE-2012-1535 Remote code execution in Microsoft Internet Explorer CVE-2012-4792 Remote code execution in Microsoft Windows CVE-2013-3918 Multiple vulnerabilities in Adobe Flash Player CVE-2014-0502 Remote code execution in Microsoft Internet Explorer CVE-2014-0322	8
Operation Clandestine Fox	The campaign has started in April 2014. The attacker used zero-day vulnerability in Internet Explorer and vectors including social engineering.	Remote code execution in Microsoft Internet Explorer CVE-2014-1776	1
Operation Clandestine Wolf	The operation against U.S. organizations lasted 3 weeks and was discovered by Singapore-based FireEye. The operation is believed to be performed by China-based group APT3 (also known as UPS). The hackers used SHOTPUT backdoor. FireEye relates Clandestine Wolf to another operation dubbed “Clandestine Fox”.	Remote code execution in Adobe Flash Player CVE-2015-3113	1
Operation CloudyOmega	The first attack traces back to at least 2011. The hackers used Backdoor.Emdivi to target mainly Japanese companies.	Remote code execution in JustSystems Ichitaro CVE-2014-7247	1
Operation DeputyDog	The campaign began on August 19, 2013 and targeted Japanese organizations. According to FireEye researchers, who detected the campaign, the attack payload was connected to the host in Hong Kong and the malware – to the host in South Korea.	Remote code execution in Microsoft Windows CVE-2013-3918 Remote code execution in Microsoft Internet Explorer CVE-2013-3893	2
Operation Ephemeral Hydra	The operation targeting U.S.-based non-governmental organization (NGO) website hosting domestic and international policy guidance. Is connected with DeputyDog attack.	Remote code execution in Microsoft Windows CVE-2013-3918	1
Operation Erebus	The operation was conducted against Russia, Nepal, South Korea, China, Kuwait, India and Romania by ScarCruft APT.	Remote code execution in Adobe Flash Player CVE-2016-4117	1
Operation GreedyWonk	Used to compromise sites of: - Peterson Institute for International. - Economics American Research Center in Egypt. - Smith Richardson Foundation.	Multiple vulnerabilities in Adobe Flash Player CVE-2014-0502	1
Operation Hangover	The main attacks were performed against Pakistan and are believed to have Indian origin. In March, 2013 a Norway-based security firm Norman first created a report about the operation.	Remote code execution in Microsoft Graphics Component CVE-2013-3906	1
Operation Iron Tiger	The operation was performed by Chinese group, called Emissary Panda or Threat Group-3390 (TG-3390). Hackers targeted US defense contractors and companies.	Privilege escalation in Microsoft Windows CVE-2008-1436	1
Operation SnowMan	Operation targeting US veterans of foreign wars website. Is considered to be connected with Operation DeputyDog and Operation Ephemeral Hydra.	Remote code execution in Microsoft Internet Explorer CVE-2014-0324 Remote code execution in Microsoft Internet Explorer CVE-2014-0322	2
PLEAD campaign	The campaign gained the moniker “PLEAD” in reference to the backdoor commands that the malware issues. Attacks, related to this campaign, have been around since 2012. The PLEAD campaign was the second attack to target governmental entities in Taiwan in the first half of 2014.	Remote code execution in MSCOMCTL.OCX ActiveX control in Microsoft Office CVE-2012-0158	1
PUNCHTRACK - companies in USA and Canada	According to FireEye hackers used malware “PUNCHTRACK” to steal users’ credit card data.	Multiple vulnerabilities in Microsoft Windows CVE-2016-0167	1
RSA breach	The stolen data was related to the SecurID technology. The attack is believed to be performed by China based APT threat group.	Remote code execution Adobe Flash Player CVE-2011-0609	1
Russian media website breach	Some specialists relate attack to the Duqu malware. The malicious server, situated in Ukraine, has been active since July 27, 2015.	Security bypass in Mozilla Firefox CVE-2015-4495	1
Sandworm - attacks against NATO, European government organizations, and U.S. academic organizations	The campaign goes back to December 2013. The hackers used Sandworm malware.	Remote code execution in Microsoft Windows CVE-2014-4114	1
Summer Olympics-themed attack	The attack was discovered by TrendMicro. The hackers used malicious Excel file as TROJ_MDROPPER.ZY, and the PowerPoint file as TROJ_PPDROP.M	Remote code execution in Microsoft Word CVE-2008-2244	1
Sun Shop Campaign	The campaign was first detected on May 20, 2013.	Remote code execution in Oracle Java SE CVE-2013-1493 Security bypass in Oracle Java SE CVE-2013-2423 Remote code execution in Microsoft Internet Explorer CVE-2013-1347	3
Sykipot campaigns	Sykipot attacks trace back to 2006. The attackers were sending emails with specially crafted links or content containing JS.Sykipot and Backdoor.Sykipot. Trojans to obtain intellectual property (design, financial, manufacturing, or strategic planning information). According to Symantec, the Sykipot group has Chinese roots.	Remote code execution in Microsoft Internet Explorer CVE-2010-0806 Buffer overflow in Microsoft Excel CVE-2007-0671 Remote code execution in Adobe Flash Player CVE-2010-3654 Remote code execution in Adobe Acrobat and Adobe Reader CVE-2011-2462	4
U.S. military and the Oil and Gas sector attacks	The attackers were targeting the Fortune 1000 companies. The users were redirected to the website containing Sweet Orange exploit kit. The C&C server behind the attack is believed to be located in Luxembourg.	Information disclosure in Microsoft Internet Explorer CVE-2013-7331	1
U.S. Veterans of Foreign Wars website breach	The campaign used method similar to Operation DeputyDog and Operation Ephemeral Hydra.	Remote code execution in Microsoft Internet Explorer CVE-2014-0324	1
UAE Human Rights Defender Ahmed Mansoor breach	Trident was used to install “Pegasus”, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies.	Multiple vulnerabilities in Apple iOS CVE-2016-4656 Multiple vulnerabilities in Apple iOS CVE-2016-4657 Multiple vulnerabilities in Apple iOS CVE-2016-4655	3
US Defense and Financial Services firms breach	The attack reffers to a Chinese actor group Codoso (according to iSIGHT Partners), Sunshop Group (according to FireEye).	Multiple vulnerabilities in Adobe Flash Player CVE-2014-9163 Multiple vulnerabilities in Microsoft Internet Explorer CVE-2015-0071	2
Washington state Administrative Office of the Courts (AOC) breach	The attack happened between September, 2012 and February, 2013. The hackers stole 160,000 SSNs, 1M driver's license numbers.	Multiple vulnerabilities in Adobe ColdFusion CVE-2013-0632	1
Willysy attack	The attack was first reported by Armorize on July 24, 2011. The malware targeted e-commerce Web pages. The researchers aren't aware of the attack origin but they discovered that malware traced to 8 IP addresses in Ukraine.	Remote code execution in Java CVE-2010-0886	1

Vulnerability distribution by vendors

All vulnerabilities form 2006 until 2016 were presented by 66 software vendors. Almost 50% of all vulnerabilities were reported in Microsoft products. The second closest vendor is Adobe with just 18% of zero-days, as demonstrated on the diagram below.

The following table contains a list of all vendors with links to disclosed zero-day vulnerabilities and their quantity for the last 11 years.

Software vendor	Vulnerabilities in total
Microsoft	153
Adobe	61
JustSystems Corporation	16
Oracle	11
Apple Inc.	6
Apache Foundation	4
Cisco Systems, Inc	4
Linux Foundation	4
Ourgame	4
Mozilla	3
Siemens	3
Atlassian	2
Baofeng	2
Google	2
ISC	2
Joomla!	2
Juniper Networks, Inc.	2
Marc-Etienne Vargenau	2
OpenX Source	2
PHP Group	2
TYPO3	2
Atomymaxsite	1
Chinagames	1
Chitora	1
Concept Software Private Limited	1
Coppermine Photo Gallery	1
D-Link	1
EWire	1
FancyBox	1
Fortinet, Inc	1
FreeBSD Foundation	1
FreePBX	1
GE Digital	1
GNU	1
H-fj	1
Hancom, Inc.	1
ImageMagick.org	1
Jenkins	1
Lhaca	1
ModPlug	1
MoinMoin	1
Netshine Software Limited	1
ntp.org	1
OpenSSL Software Foundation	1
Opera Software	1
Parallels	1
Perl	1
PHPCow LLC	1
phpMyForum	1
pivotlog.net	1
PJHome	1
Plone	1
QVOD Technology	1
RealNetworks	1
Roundcube	1
spip.net	1
SSReader	1
TimThumb	1
Tor Project	1
UUSEE	1
Valenok	1
vBulletin	1
Webempoweredchurch	1
Webglimpse.org	1
WordPress.ORG	1
Xunlei	1

Vulnerability distribution by software categories

The majority of all zero-day vulnerabilities (59,88%) was discovered in client/desktop applications. 21.56% of zero-days were exploited against operating system components. The rest of the vulnerabilities are divided almost equally between server and web applications (9,28% and 8,38% respectively), and less than 1% of zero-days were exploited against hardware appliances.

The following table contains a list of software categories along with number of vulnerabilities.

Software category	Vulnerabilities
Operating systems
Operating systems	72
Client/Desktop applications
Software for developers	11
Plugins for browsers, ActiveX components	57
Office applications	73
Web browsers	41
Other client software	5
Multimedia software	9
Software for archiving	3
Games	1
Server applications
Frameworks for developing and running applications	5
Web servers	4
Scripting languages	3
Application servers	8
DNS servers	2
Database software	2
Encryption software	1
Conferencing and VoIP solutions	1
Other server solutions	1
SCADA systems	4
Web applications
Other software	5
Forum & blogging software	4
CMS	12
Modules and components for CMS	4
E-Commerce systems	1
Remote management & hosting panels	1
Webmail solutions	1
Hardware solutions
Security hardware applicances	2
Routers & switches, VoIP, GSM, etc	1

Vulnerability distribution by software

Distribution of zero-days against Microsoft Office components is displayed on the diagram below. Almost half of all vulnerabilities were discovered within Microsoft Office itself and exploitation of these vulnerabilities did not depend on presence of a particular component. Vulnerabilities against Excel and Word have almost equal number of vulnerabilities.

On the following diagram you can see distribution of zero-days in different browsers. Internet Explorer was the primary target with 85,37% of all vulnerabilities in browsers.

Remediation period

Remediation period is an amount of days between public disclosure date and the date of issued patch. The highest average remediation period was detected in 2008. It took 42 days in average for vendors to patch zero-day vulnerabilities.

As you can see from the graph below, average remediation period started to decrees in 2013: it took only 4 days for vendors to address publicly disclosed zero-days in 2015 and just 1 day in 2016. Data on this graph is presented by patched vulnerabilities only. All unpatched vulnerabilities were excluded from this graph.

The average remediation period for all vulnerabilities since 2006 is 17 days. We attract your attention that these numbers will change after Cisco will release patches for still unpatched vulnerabilities.

The longest lifetime period of a publicly disclosed zero-day vulnerability from 2006 until 2016 is 366 days. It was reached by two vendors: Microsoft and Oracle in 2011 and 2012 respectively.

As you can see from the graph above, the longest lifetime of an unpatched zero-day for Adobe was 89 days in 2008. For JustSystems Corporation it was 41 days in 2013.

If we compare vulnerabilities disclosure timeframe, 55% of all vulnerabilities (182) were publicly disclosed before the vendor was able to issue the security fix.

As a result, if we compare average remediation period for already disclosed zero-days, the number would look a bit worse, than presented in general statistics. The average period for issuing a fix is 32 days, which is almost twice the average patching period. The slowest average period for releasing a security patch was 65 days in 2009, the fastest was in 2016 - just 3 days.

Brief review by years

2006

In 2006 all zero-day vulnerabilities were presented only by two vendors: JustSystems and Microsoft. By software categories distribution of zero-days looks as follows: 81% (17) of all vulnerabilities were exploited against client/desktop applications and 19% (4) of vulnerabilities against operating system components. The maximum lifetime of publicly known zero-day vulnerability was 79 days.

The maximum lifetime of publicly known zero-day vulnerability was 79 days for Microsoft.

Vendor	Vulnerabilities
JustSystems Corporation	1
Microsoft	20

Table. Vulnerabilities distribution by vendors in 2006

2007

In 2007 we have identified 25 zero-day vulnerabilities. The maximum lifetime of publicly known zero-day vulnerability was 55 days for Microsoft.

Vendor	Vulnerabilities
Apple Inc.	2
Chitora	1
EWire	1
JustSystems Corporation	3
Lhaca	1
Marc-Etienne Vargenau	2
Microsoft	10
Ourgame	1
phpMyForum	1
RealNetworks	1
SSReader	1
Xunlei	1

Table. Vulnerabilities distribution by vendors in 2007