It is this combination of many unpatched targets and the ability to potentially evade many
forms of intrusion detection and prevention systems that make 0-days such a powerful
weapon in the hands of attackers. Many legitimate security and vulnerability researchers
explore software systems to uncover 0-days and report them to the appropriate software
vendor in the hopes of preventing malicious individuals from finding and using them first.
Those who intend to use 0-days for illicit purposes guard the knowledge of a 0-day very
carefully lest it become widely and publically known and effective countermeasures,
including vendor software patches, can be deployed.
One of the more disturbing issues regarding 0-days is their lifetimes. The lifetime of a 0-day
is the amount of time between the discovery of the vulnerability and public disclosure
through vendor or researcher announcement, mailing lists, and so on. By the very nature of
0-day discovery and disclosure, it is difficult to get reliable statistics on lifetimes, but one
vulnerability research organization claims its studies indicate an average 0-day lifetime of
348 days. Hence, if malicious attackers have a high-value 0-day in hand, they may have
almost a year to put it to most effective use. If used in a stealthy manner so as not to tip off
system defenders, vendors, and researchers, this sort of 0-day can yield many high-value
compromised systems for the attackers. Though there has been no official substantiation,
there has been a great deal of speculation that the Titan Rain series of attacks against
sensitive U.S. government networks between 2003 and 2005 utilized a set of 0-days against
Microsoft software