Anton Chuvakin eviscerates me here for claiming there are very few 0days (what Shimel is starting to call Less than Zero Days).

Come, one, Rich? How do YOU know? Given that we know (and you yourself state) that there very few ways to prevent, block or even detect it … What might be more true is that an average security-sloppy enterprise has more to fear and more to lose from “stale” attacks; however, it is NOT the same as to say that there are few 0days out there. I am stunned when folks make those claims. BTW, check out this list that Pete Lindstrom maintains on public exposures of 0day attacks. But how many were used and are not on his (or anybody’s) list? Ominous silence is the answer 🙂

How do I know?

Because we’d all be out of business if I were wrong. Most of our IT systems work, most of us aren’t seeing our bank accounts drained every month, most companies stay in business and don’t lose all their intellectual property, and most networks and servers seem to run fine with common security controls and without all sorts of strange back channel traffic we’d probably notice eventually.

Ergo the number of true 0day exploits is small enough we don’t have to freak out about them on a daily basis.

When we start seeing all sorts of mysterious failures and losses, then I’ll believe those 0days are something that we all need to start really worrying about.

We can hype up as many threats as we want, but as long as everyone seems to be able to do business as normal without the kind of losses we actually notice, we should save the FUD for when we need.

That’s how I can make that claim. At least for now.

If an exploit falls in the forest and no one hears it, are you really 0wn3d?

(remember- I’m talking real losses. yes, you can be hacked and not know it, but for this argument I’m assuming there are enough smart security types in enough enterprises that we’d notice something. it sometimes happens (e.g. some of the Office hacks and the .wmf vulnerability), but those attacks are in the vast minority).