<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Arial">Actually its not apples and oranges. Most people
are stunned when they hear that only 0.12% of compromises are
attributed to 0-day vulnerabilities. They are even more stunned
when they find out that only 6% of malware infections are
attributed to the use of general exploits (non-zeroday).<br>
<br>
The point is, there are much bigger issues at hand that need to be
addressed like the fact that 90% of all compromises in 2011 were
attributed to vulnerabilities that had been in public domain for
over one year. <br>
<br>
How can anyone expect to protect themselves from zero-day's if
they can't protect themselves from known issues for which patches
/ fixes already exist? <br>
<br>
</font>
<div class="moz-cite-prefix">On 8/14/12 5:13 PM, Michal Zalewski
wrote:<br>
</div>
<blockquote
cite="mid:CALx_OUATUeSJD=+qg_rk4DLQ3s_8x6mzU+8T1O7hzMYzWfgcoA@mail.gmail.com"
type="cite">
<blockquote type="cite">
<pre wrap=""><a class="moz-txt-link-freetext" href="http://pentest.netragard.com/2012/08/13/selling-zero-days-doesnt-increase-your-risk-heres-why/">http://pentest.netragard.com/2012/08/13/selling-zero-days-doesnt-increase-your-risk-heres-why/</a>
</pre>
</blockquote>
<pre wrap="">
I think it's apples and oranges. A vast majority of compromises happen
due to user error, software design errors, or inadequate patching, and
nobody in their right mind contests that. 0-day vulnerabilities
surface in a variety of high-profile cases, and they are not a direct
threat to most of the users. Which doesn't make them a non-issue - in
fact, they are a huge practical issue in some settings.
/mz
</pre>
</blockquote>
<br>
</body>
</html>