Zero-DAY Vulnerability Statistics

Table of contents

Abstract

Security is not a process. It's a state until you get pwned (c)

This research covers the most dangerous kind of vulnerabilities - the ones that are unknown to anybody except the malicious actor. Once they are used in a properly engineered attack there is no way to stop the hack. For the past decade we have witnessed sophisticated crimes, perfectly planned, organized and executed by the real Kung Fu masters of keyboard, mouse and espionage.

During our research we have gathered and analyzed publicly available information about almost 100 APT campaigns and reports on more than 500 vulnerabilities, suspected to be exploited in the wild both in targeted and mass attacks. As data sources we have used vulnerability databases, reports from companies and researchers in the field, news articles, official statements, etc. For comparison purposes we have chosen yearly reports from major IT security market players, who publish zero-day vulnerability statistics, such as Symantec, Trustwave, Flexera/Secunia, and FireEye.

So here we are, to tell you everything we know about zero-days.

Sincerely yours,
Valerii Marchuk
Cybersecurity Help team =)

Terminology

In this report we will operate the terms, described below. Despite some of them are widely used, we still feel the need to describe them to avoid any possible misunderstandings or double meanings.

Vulnerability - is an error in software code, which can be used with security impact, e.g. can influence confidentiality, integrity or availability of the application.

Zero-day candidate - is a vulnerability, which can potentially be used in targeted attacks, however there is not enough evidence to confirm its actual exploitation before the official security fix release.

Zero-day vulnerability - is a vulnerability, which has been exploited in real-world attacks before vendor was able to issue a security fix.

Software category - category of applications, which is used to describe the basic functionality of the particular software.

Client/Desktop applications - software for end-users used primarily on user desktops, e.g. browsers, video players, text processors, etc.

Server applications - software used on server systems as services or daemons, e.g. web servers, database engines, DNS servers, etc.

Web application - software used to serve web content with help of web server, e.g. content management systems, forum and blogging software, e-commerce, etc.

Hardware solutions - mostly firmware used on a variety of hardware appliances.

Scope

The scope of this research was to identify, classify and analyze all publicly known zero-day vulnerabilities for the past 11 years. During our research we have investigated reports on over 500 vulnerabilities, suspected to be exploited in the wild both in targeted and mass attacks. All vulnerabilities were treated as zero-day candidates and then transferred into zero-day vulnerabilities once evidence of their exploitation in the wild before official patch release was confirmed.

Period

Information, provided in this research, is based on data collected and analyzed between 2006 and 2016.

Data Sources

For this research we have used OSINT (Open Source Intelligence) approach, gathering and analyzing publicly available data sources, such as vulnerability databases, reports from companies and researchers in the field, news articles, official statements, etc. For comparison purposes we have chosen yearly reports from major IT security market players, who publish zero-day vulnerability statistics, such as Symantec, Trustwave, Flexera/Secunia, and FireEye.

Key findings

The research covers 11 years from 2006 until 2016 and identifies 334 zero-day vulnerabilities used in various attacks worldwide. Zero-day vulnerabilities are usually reported on yearly basis by several IT security companies, however the reported numbers almost always differ (even from one yearly report to the other for the same period in reports of the same company). On the graph below you can see the number of zero-day vulnerabilities reported by each IT security company. In case of Flexera/Secunia we used numbers available in the latest reports for the particular year.

The huge problem with the statistics above is that security reports usually do not reveal much information about the zero-day vulnerabilities in their reports except their total quantity. We hope that we were able to cover all zero-day vulnerabilities, identified by these companies.

The problematic year in question is 2015, when Symantec reported 54 zero-days. We were able to confirm 36 vulnerabilities only. The difference between numbers from OSINT research and Symantec report comes from the number of zero-days discovered in different types of software, as stated in the table below:

SourceSymantecOSINT
ICS/SCADA systems70
Adobe Flash Player1010
Open source software114
Hacking Team exploits66
Other vulnerabilities2016
Total5436

The above graph is still to be updated with new data, once they are available.

The facts

During this research we have come to interesting conclusions and deeper understanding of the nature for zero-day attacks.

The largest number of zero-day vulnerabilities was reported in Microsoft products - 46% of all zero-days. The second closes vendor is Adobe with just 18% of the "market". At the same time, the malware developers chose office applications as the most popular attack vector (73 zero-days) and operating system components (72 zero-days). The third place is taken by the number of exploits against browser-based plugins (e.g. ActiveX components, Adobe Flash player, Silverlight, etc) - 57 in total. Along with web browsers (41 zero-days) they cover 73% of all vulnerabilities used in targeted attacks.

The highest amount of zero-day vulnerabilities was discovered in Microsoft Windows operating system (18,62%). The second place is taken by Adobe Flash Player (12,31%). Third and fourth places are divided between Microsoft Office components (11,41%) and Internet Explorer (10,51%). The fifth place is taken by JustSystems Ichitaro (4,5%).

55% of all zero-day vulnerabilities were disclosed before vendor was able to issue security patch, and it took 32 days on average to fix these vulnerabilities.

The number of days to react on publicly disclosed zero-day and issue a security patch starts to lower significantly from 2015. It took 9 days on average in 2015 to issue a security patch and only 3 days in 2016, compared to 31 and 46 days in 2013 and 2014 respectively.

All attacks, disclosed in this research, were perfectly organized and financed. And we do not believe these were crowdfunding projects from Kikstarter =) The only logical conclusion is that all of the espionage campaigns were planned, financed or even executed by secret services of different countries. The latest leaks presented by the WikiLeaks project made us even more sure of that.

Famous campaigns highlights

This research has covered 44 known malicious campaigns, which leveraged zero-day vulnerabilities.

The table below contains description of all major incidents occurred within the last 11 years between 2006 and 2016.

The so-far largest espionage campaign dubbed Operation Aurora is believed to use 8 zero-day vulnerabilities during the attacks. The second and the third place by the number of zero-days belong to Stuxnet and Sykipot campaigns: 4 zero-day vulnerabilities each.

NameDescriptionVulnerabilities
AdGholasThe attacks were active since at least October 2015. To avoid detection the hackers use steganography and file whitelisting techniques. Multiple vulnerabilities in Microsoft Internet Explorer and Edge
CVE-2016-3351
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-3298
Information disclosure in Microsoft XML Core Services
CVE-2017-0022
3
Amnesty International Hong Kong site breachThe hackers compromised the website and were delivering Trojan Gh0st RAT. Multiple vulnerabilities in Adobe Reader and Acrobat
CVE-2010-2884
Remote code execution in Microsoft XML Core Services
CVE-2012-1889
2
CNACOM campaignThe campaign mainly targeted Taiwanese organizations and supposedly has Chinese origin. Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2015-5122
Privilege escalation in Microsoft Windows
CVE-2015-0016
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2016-0189
3
Council on Foreign Relations (CFR) breachThe attack was performed on 26.12.2012. Chinese hackers are suspected to deliver Trojan Gh0st RAT on victim's computers.
Remote code execution in Microsoft Internet Explorer
CVE-2012-4792
1
dailymotion.com breach

The campaign seems to use Angler Exploit kit.

Trend Micro dubbed the exploit “SWF_EXPLOIT.MJST”.

Multiple vulnerabilities in Adobe Flash Player
CVE-2015-0313
1
DarkLeech attack campaign

The campaign dates back to 2011. The hackers used Nymaim ransomware that locks users' computers and demands $300 to free their data. During further attacks, the hackers used Reveton malware to target visitors of FireEye Security Careers Webpage.

SQL injection in Parallels Plesk Panel
CVE-2012-1557
1
Department of Labor breachThe attack took place in April, 2013. Remote code execution in Microsoft Internet Explorer
CVE-2013-1347
1
Foreign Affairs Ministries breachThe attacks is believed to be performed by the threat group known as PawnStorm. Remote code execution in Adobe Flash Player
CVE-2015-7645
1
Hurricane Panda

Hurricane Panda is an attack targeting major infrastructure companies.

Attack was detected in 2013 and is believed to be of Chinese origin.
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2014-4123
Remote code execution in Microsoft Windows
CVE-2014-4148
Privilege escalation in Microsoft Windows
CVE-2014-4113
3
Ice Dagger attackThe attack is called “Ice Dagger” by Adallom security firm due to its sophistication. Information disclosure in Microsoft Office
CVE-2013-5054
1
Iranian Nuclear Facilities breachThe breach was identified in summer 2010 by VirusBlokada antivirus company from Belarus, who was called to investigate computers in Iranian nuclear facilities. Remote code execution in Microsoft Windows
CVE-2010-2568
Remote code execution in Print Spooler service in Microsoft Windows
CVE-2010-2729
Hardcoded credentials in Siemens SIMATIC WinCC and PSC 7 SCADA systems
CVE-2010-2772
Insecure DLL loading in SIMATIC STEP 7 and PCS 7
CVE-2012-3015
4
LadyBoyle espionage campaign

The attack was performed in 2013, named after code, found within malicious SWF file.

Two remote code execution vulnerabilities in Adobe Flash Player
CVE-2013-0634
1
Luckycat attacks

The campaign has been active since at least June 2011 and linked to 90 attacks against Indian and Japan institution.

Remote code execution in Adobe Flash Player
CVE-2010-3654
1
Macktruck attackThe hackers performed the operation with the help of “Hangman” malware. FireEye suspects North Korea of attack against South Korea. Remote code execution in Hangul Word Processor
CVE-2015-6585
1
MiniDuke Malware Campaign

The attacks were revealed by Kaspersky Lab and CrySys Lab in February 2013.

MiniDuke is a unique ATP campaign. The hackers used new CosmicDuke or TinyBaron backdoors to target Austria, Belgium, France, Germany, Hungary, Netherlands, Spain, Ukraine, the United States, Georgia, Russia, the United Kingdom, Kazakhstan, India, Belarus, Cyprus, and Lithuania, Azerbaijan, and Greece.
Two remote code execution vulnerabilities in Adobe Acrobat and Adobe Reader
CVE-2013-0641
Two remote code execution vulnerabilities in Adobe Acrobat and Adobe Reader
CVE-2013-0640
2
NATO breach and the attacks against White House membersThe attacks were performed by PawnStorm attackers. Security bypass Oracle Java SE
CVE-2015-4902
Remote code execution in Oracle Java SE
CVE-2015-2590
2
Nobel Peace Prize ceremony beach

The group behind this attack was also behind Sunshop.

The attack server located in Taiwan spread malicious HTML file as Trojan.Malscript and the downloaded threat as Backdoor.Belmoo.
Remote code execution in Mozilla Firefox
CVE-2010-3765
Use-after-free when parsing CSS in Internet Explorer
CVE-2010-3962
2
Operation "Red October" (Rocra)

The malware attack was first detected in 2007 and was being used to target mainly diplomatic and government agencies in Eastern Europe, former USSR members, countries in Central Asia, Western Europe and North America, some African countries, such as Kenya, Uganda, Ethiopia, Chad, The Sudan and Eritrea.

Kaspersky Lab discovered the operation program in October 2012 and uncovered it in January 2013.
Remote code execution in MSCOMCTL.OCX ActiveX control in Microsoft Office
CVE-2012-0158
Multiple vulnerabilities in Microsoft Office
CVE-2009-3129
2
Operation "Russian Doll"The operation refers to the Russian Hacker group APT28. The hackers are suspected to target German parliament, French television network TV5Monde, the White House, and NATO. Multiple vulnerabilities in Microsoft Windows
CVE-2015-1701
1
Operation Aurora

Operation Aurora is a series of cyber attacks conducted since mid-2009. Such name was given by Dmitri Alperovitch of McAfee.

The operation was discovered by Google in January, 2010 and is considered to have Chinese origin.

The hackers targeted not only Google but also Yahoo, Symantec, Juniper Networks, Adobe, Northrop Grumman и Dow Chemical.

Symantec identified the group behind the operation "Elderwood", Dell Secureworks - "Beijing Group".
Remote code execution in Adobe Acrobat and Adobe Reader
CVE-2009-4324
Remote code execution in Microsoft Internet Explorer
CVE-2010-0249
Remote code execution in Microsoft Internet Explorer
CVE-2010-0806
Remote code execution in Adobe Flash Player
CVE-2012-1535
Remote code execution in Microsoft Internet Explorer
CVE-2012-4792
Remote code execution in Microsoft Windows
CVE-2013-3918
Multiple vulnerabilities in Adobe Flash Player
CVE-2014-0502
Remote code execution in Microsoft Internet Explorer
CVE-2014-0322
8
Operation Clandestine FoxThe campaign has started in April 2014. The attacker used zero-day vulnerability in Internet Explorer and vectors including social engineering.
Remote code execution in Microsoft Internet Explorer
CVE-2014-1776
1
Operation Clandestine Wolf

The operation against U.S. organizations lasted 3 weeks and was discovered by Singapore-based FireEye.

The operation is believed to be performed by China-based group APT3 (also known as UPS).

The hackers used SHOTPUT backdoor.

FireEye relates Clandestine Wolf to another operation dubbed “Clandestine Fox”.
Remote code execution in Adobe Flash Player
CVE-2015-3113
1
Operation CloudyOmegaThe first attack traces back to at least 2011. The hackers used Backdoor.Emdivi to target mainly Japanese companies. Remote code execution in JustSystems Ichitaro
CVE-2014-7247
1
Operation DeputyDogThe campaign began on August 19, 2013 and targeted Japanese organizations. According to FireEye researchers, who detected the campaign, the attack payload was connected to the host in Hong Kong and the malware – to the host in South Korea. Remote code execution in Microsoft Windows
CVE-2013-3918
Remote code execution in Microsoft Internet Explorer
CVE-2013-3893
2
Operation Ephemeral Hydra

The operation targeting U.S.-based non-governmental organization (NGO) website hosting domestic and international policy guidance.

Is connected with DeputyDog attack.
Remote code execution in Microsoft Windows
CVE-2013-3918
1
Operation ErebusThe operation was conducted against Russia, Nepal, South Korea, China, Kuwait, India and Romania by ScarCruft APT. Remote code execution in Adobe Flash Player
CVE-2016-4117
1
Operation GreedyWonkUsed to compromise sites of:
- Peterson Institute for International.
- Economics American Research Center in Egypt.
- Smith Richardson Foundation.
Multiple vulnerabilities in Adobe Flash Player
CVE-2014-0502
1
Operation Hangover

The main attacks were performed against Pakistan and are believed to have Indian origin.

In March, 2013 a Norway-based security firm Norman first created a report about the operation.
Remote code execution in Microsoft Graphics Component
CVE-2013-3906
1
Operation Iron Tiger

The operation was performed by Chinese group, called Emissary Panda or Threat Group-3390 (TG-3390).

Hackers targeted US defense contractors and companies.
Privilege escalation in Microsoft Windows
CVE-2008-1436
1
Operation SnowManOperation targeting US veterans of foreign wars website. Is considered to be connected with Operation DeputyDog and Operation Ephemeral Hydra. Remote code execution in Microsoft Internet Explorer
CVE-2014-0324
Remote code execution in Microsoft Internet Explorer
CVE-2014-0322
2
PLEAD campaignThe campaign gained the moniker “PLEAD” in reference to the backdoor commands that the malware issues. Attacks, related to this campaign, have been around since 2012. The PLEAD campaign was the second attack to target governmental entities in Taiwan in the first half of 2014. Remote code execution in MSCOMCTL.OCX ActiveX control in Microsoft Office
CVE-2012-0158
1
PUNCHTRACK - companies in USA and CanadaAccording to FireEye hackers used malware “PUNCHTRACK” to steal users’ credit card data. Multiple vulnerabilities in Microsoft Windows
CVE-2016-0167
1
RSA breach

The stolen data was related to the SecurID technology.

The attack is believed to be performed by China based APT threat group.
Remote code execution Adobe Flash Player
CVE-2011-0609
1
Russian media website breach

Some specialists relate attack to the Duqu malware.

The malicious server, situated in Ukraine, has been active since July 27, 2015.
Security bypass in Mozilla Firefox
CVE-2015-4495
1
Sandworm - attacks against NATO, European government organizations, and U.S. academic organizations

The campaign goes back to December 2013.

The hackers used Sandworm malware.
Remote code execution in Microsoft Windows
CVE-2014-4114
1
Summer Olympics-themed attackThe attack was discovered by TrendMicro. The hackers used malicious Excel file as TROJ_MDROPPER.ZY, and the PowerPoint file as TROJ_PPDROP.M Remote code execution in Microsoft Word
CVE-2008-2244
1
Sun Shop Campaign

The campaign was first detected on May 20, 2013.

Remote code execution in Oracle Java SE
CVE-2013-1493
Security bypass in Oracle Java SE
CVE-2013-2423
Remote code execution in Microsoft Internet Explorer
CVE-2013-1347
3
Sykipot campaigns

Sykipot attacks trace back to 2006.

The attackers were sending emails with specially crafted links or content containing JS.Sykipot and Backdoor.Sykipot. Trojans to obtain intellectual property (design, financial, manufacturing, or strategic planning information).

According to Symantec, the Sykipot group has Chinese roots.
Remote code execution in Microsoft Internet Explorer
CVE-2010-0806
Buffer overflow in Microsoft Excel
CVE-2007-0671
Remote code execution in Adobe Flash Player
CVE-2010-3654
Remote code execution in Adobe Acrobat and Adobe Reader
​CVE-2011-2462
4
U.S. military and the Oil and Gas sector attacks

The attackers were targeting the Fortune 1000 companies. The users were redirected to the website containing Sweet Orange exploit kit. The C&C server behind the attack is believed to be located in Luxembourg.

Information disclosure in Microsoft Internet Explorer
CVE-2013-7331
1
U.S. Veterans of Foreign Wars website breachThe campaign used method similar to Operation DeputyDog and Operation Ephemeral Hydra. Remote code execution in Microsoft Internet Explorer
CVE-2014-0324
1
UAE Human Rights Defender Ahmed Mansoor breach

Trident was used to install “Pegasus”, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies.

Multiple vulnerabilities in Apple iOS
CVE-2016-4656
Multiple vulnerabilities in Apple iOS
CVE-2016-4657
Multiple vulnerabilities in Apple iOS
CVE-2016-4655
3
US Defense and Financial Services firms breachThe attack reffers to a Chinese actor group Codoso (according to iSIGHT Partners), Sunshop Group (according to FireEye). Multiple vulnerabilities in Adobe Flash Player
CVE-2014-9163
Multiple vulnerabilities in Microsoft Internet Explorer
CVE-2015-0071
2
Washington state Administrative Office of the Courts (AOC) breachThe attack happened between September, 2012 and February, 2013. The hackers stole 160,000 SSNs, 1M driver's license numbers. Multiple vulnerabilities in Adobe ColdFusion
CVE-2013-0632
1
Willysy attack

The attack was first reported by Armorize on July 24, 2011.

The malware targeted e-commerce Web pages. The researchers aren't aware of the attack origin but they discovered that malware traced to 8 IP addresses in Ukraine.

Remote code execution in Java
CVE-2010-0886
1

Vulnerability distribution by vendors

All vulnerabilities form 2006 until 2016 were presented by 66 software vendors. Almost 50% of all vulnerabilities were reported in Microsoft products. The second closest vendor is Adobe with just 18% of zero-days, as demonstrated on the diagram below.

The following table contains a list of all vendors with links to disclosed zero-day vulnerabilities and their quantity for the last 11 years.

Software vendor Vulnerabilities in total
Microsoft153
Adobe61
JustSystems Corporation16
Oracle11
Apple Inc.6
Apache Foundation4
Cisco Systems, Inc4
Linux Foundation4
Ourgame4
Mozilla3
Siemens3
Atlassian2
Baofeng2
Google2
ISC2
Joomla!2
Juniper Networks, Inc.2
Marc-Etienne Vargenau2
OpenX Source2
PHP Group2
TYPO32
Atomymaxsite1
Chinagames1
Chitora1
Concept Software Private Limited1
Coppermine Photo Gallery1
D-Link1
EWire1
FancyBox1
Fortinet, Inc1
FreeBSD Foundation1
FreePBX1
GE Digital1
GNU1
H-fj1
Hancom, Inc.1
ImageMagick.org1
Jenkins1
Lhaca1
ModPlug1
MoinMoin1
Netshine Software Limited1
ntp.org1
OpenSSL Software Foundation1
Opera Software1
Parallels1
Perl1
PHPCow LLC1
phpMyForum1
pivotlog.net1
PJHome1
Plone1
QVOD Technology1
RealNetworks1
Roundcube1
spip.net1
SSReader1
TimThumb1
Tor Project1
UUSEE1
Valenok1
vBulletin1
Webempoweredchurch1
Webglimpse.org1
WordPress.ORG1
Xunlei1

Vulnerability distribution by software categories

The majority of all zero-day vulnerabilities (59,88%) was discovered in client/desktop applications. 21.56% of zero-days were exploited against operating system components. The rest of the vulnerabilities are divided almost equally between server and web applications (9,28% and 8,38% respectively), and less than 1% of zero-days were exploited against hardware appliances.

The following table contains a list of software categories along with number of vulnerabilities.

Software categoryVulnerabilities
Operating systems
Operating systems72
Client/Desktop applications
Software for developers11
Plugins for browsers, ActiveX components57
Office applications73
Web browsers41
Other client software5
Multimedia software9
Software for archiving3
Games1
Server applications
Frameworks for developing and running applications5
Web servers4
Scripting languages3
Application servers8
DNS servers2
Database software2
Encryption software1
Conferencing and VoIP solutions1
Other server solutions1
SCADA systems4
Web applications
Other software5
Forum & blogging software4
CMS12
Modules and components for CMS4
E-Commerce systems1
Remote management & hosting panels1
Webmail solutions1
Hardware solutions
Security hardware applicances2
Routers & switches, VoIP, GSM, etc1

Vulnerability distribution by software

The highest amount of zero-day vulnerabilities was discovered in Microsoft Windows operating system (18,62%). The second place is taken by Adobe Flash Player (12,31%). Third and fourth places are divided between Microsoft Office components (11,41%) and Internet Explorer (10,51%). The fifth place is taken by JustSystems Ichitaro (4,5%).

Distribution of zero-days against Microsoft Office components is displayed on the diagram below. Almost half of all vulnerabilities were discovered within Microsoft Office itself and exploitation of these vulnerabilities did not depend on presence of a particular component. Vulnerabilities against Excel and Word have almost equal number of vulnerabilities.

On the following diagram you can see distribution of zero-days in different browsers. Internet Explorer was the primary target with 85,37% of all vulnerabilities in browsers.

Remediation period

Remediation period is an amount of days between public disclosure date and the date of issued patch. The highest average remediation period was detected in 2008. It took 42 days in average for vendors to patch zero-day vulnerabilities.

As you can see from the graph below, average remediation period started to decrees in 2013: it took only 4 days for vendors to address publicly disclosed zero-days in 2015 and just 1 day in 2016. Data on this graph is presented by patched vulnerabilities only. All unpatched vulnerabilities were excluded from this graph.

The average remediation period for all vulnerabilities since 2006 is 17 days. We attract your attention that these numbers will change after Cisco will release patches for still unpatched vulnerabilities.

The longest lifetime period of a publicly disclosed zero-day vulnerability from 2006 until 2016 is 366 days. It was reached by two vendors: Microsoft and Oracle in 2011 and 2012 respectively.

As you can see from the graph above, the longest lifetime of an unpatched zero-day for Adobe was 89 days in 2008. For JustSystems Corporation it was 41 days in 2013.

If we compare vulnerabilities disclosure timeframe, 55% of all vulnerabilities (182) were publicly disclosed before the vendor was able to issue the security fix.

As a result, if we compare average remediation period for already disclosed zero-days, the number would look a bit worse, than presented in general statistics. The average period for issuing a fix is 32 days, which is almost twice the average patching period. The slowest average period for releasing a security patch was 65 days in 2009, the fastest was in 2016 - just 3 days.

Brief review by years

2006

In 2006 all zero-day vulnerabilities were presented only by two vendors: JustSystems and Microsoft. By software categories distribution of zero-days looks as follows: 81% (17) of all vulnerabilities were exploited against client/desktop applications and 19% (4) of vulnerabilities against operating system components. The maximum lifetime of publicly known zero-day vulnerability was 79 days.

The maximum lifetime of publicly known zero-day vulnerability was 79 days for Microsoft.

VendorVulnerabilities
JustSystems Corporation1
Microsoft20

Table. Vulnerabilities distribution by vendors in 2006

2007

In 2007 we have identified 25 zero-day vulnerabilities. The maximum lifetime of publicly known zero-day vulnerability was 55 days for Microsoft.

VendorVulnerabilities
Apple Inc.2
Chitora1
EWire1
JustSystems Corporation3
Lhaca1
Marc-Etienne Vargenau2
Microsoft10
Ourgame1
phpMyForum1
RealNetworks1
SSReader1
Xunlei1

Table. Vulnerabilities distribution by vendors in 2007

Below are diagrams with visual representation of all vulnerabilities by software categories.

2008

In 2008 we have identified 21 zero-day vulnerabilities. The maximum lifetime of publicly known zero-day vulnerability was 362 days for Microsoft.

VendorVulnerabilities
Adobe2
Coppermine Photo Gallery1
JustSystems Corporation1
Microsoft11
Ourgame3
PHPCow LLC1
QVOD Technology1
UUSEE1

Table. Vulnerabilities distribution by vendors in 2008

Below are diagrams with visual representation of all vulnerabilities by software categories.

2009

In 2009 we have identified 37 zero-day vulnerabilities. The maximum lifetime of publicly known zero-day vulnerability was 187 days for Microsoft.

VendorVulnerabilities
Adobe5
Apache Foundation1
Baofeng2
Chinagames1
ISC1
JustSystems Corporation2
Microsoft20
ModPlug1
Mozilla1
Perl1
PJHome1
spip.net1

Table. Vulnerabilities distribution by vendors in 2009

Below are diagrams with visual representation of all vulnerabilities by software categories.

2010

In 2010 we have identified 32 zero-day vulnerabilities. The maximum lifetime of publicly known zero-day vulnerability was 234 days for Siemens.

VendorVulnerabilities
Adobe8
Atlassian2
JustSystems Corporation4
Linux Foundation1
Microsoft13
Mozilla1
Netshine Software Limited1
Oracle1
Siemens1

Table. Vulnerabilities distribution by vendors in 2010

Below are diagrams with visual representation of all vulnerabilities by software categories.

2011

In 2011 we have identified 28 zero-day vulnerabilities. The maximum lifetime of publicly known zero-day vulnerability was 366 days for Microsoft.

VendorVulnerabilities
Adobe9
Apache Foundation2
Apple Inc.1
FreeBSD Foundation1
JustSystems Corporation1
Microsoft8
Oracle1
pivotlog.net1
Plone1
TimThumb1
Valenok1
Webempoweredchurch1

Table. Vulnerabilities distribution by vendors in 2011

Below are diagrams with visual representation of all vulnerabilities by software categories.

2012

In 2012 we have identified 25 zero-day vulnerabilities. The maximum lifetime of publicly known zero-day vulnerability was 366 days for Oracle.

VendorVulnerabilities
Adobe3
Atomymaxsite1
Linux Foundation1
Microsoft8
MoinMoin1
Opera Software1
Oracle4
Parallels1
PHP Group2
Siemens1
TYPO31
Webglimpse.org1

Table. Vulnerabilities distribution by vendors in 2012

Below are diagrams with visual representation of all vulnerabilities by software categories.

2013

In 2013 we have identified 42 zero-day vulnerabilities. The maximum lifetime of publicly known zero-day vulnerability was 253 days for ntp.org.

VendorVulnerabilities
Adobe12
D-Link1
GE Digital1
Google2
ISC1
Joomla!1
JustSystems Corporation2
Microsoft14
ntp.org1
OpenX Source2
Oracle3
Roundcube1
vBulletin1

Table. Vulnerabilities distribution by vendors in 2013

Below are diagrams with visual representation of all vulnerabilities by software categories.

2014

In 2014 we have identified 34 zero-day vulnerabilities. The maximum lifetime of publicly known zero-day vulnerability was 26 days for Microsoft.

VendorVulnerabilities
Adobe6
Apache Foundation1
FreePBX1
GNU1
JustSystems Corporation2
Microsoft20
OpenSSL Software Foundation1
Siemens1
TYPO31

Table. Vulnerabilities distribution by vendors in 2014

Below are diagrams with visual representation of all vulnerabilities by software categories.

2015

In 2015 we have identified 36 zero-day vulnerabilities. The maximum lifetime of publicly known zero-day vulnerability was 38 days for Microsoft.

VendorVulnerabilities
Adobe10
FancyBox1
H-fj1
Hancom, Inc.1
Joomla!1
Juniper Networks, Inc.2
Microsoft18
Oracle2

Table. Vulnerabilities distribution by vendors in 2015

Below are diagrams with visual representation of all vulnerabilities by software categories.

2016

In 2016 we have identified 33 zero-day vulnerabilities. The maximum lifetime of publicly known zero-day vulnerability was 8 days for Microsoft.

VendorVulnerabilities
Adobe6
Apple Inc.3
Cisco Systems, Inc4
Concept Software Private Limited1
Fortinet, Inc1
ImageMagick.org1
Jenkins1
Linux Foundation2
Microsoft11
Mozilla1
Tor Project1
WordPress.ORG1

Table. Vulnerabilities distribution by vendors in 2016

Below are diagrams with visual representation of all vulnerabilities by software categories.

Final word

The results of this researched are subject to change to reflect new data regarding zero-day vulnerabilities, attacks and malicious activity. We will do our best to keep the data up-to-date and inform our readers about any changes in the statistics.

If you have any questions, suggestions or comments regarding this research, please do not hesitate to contact us.

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.