Seven myths about zero day vulnerabilities debunked

[Jack]

Are zero day flaws what the bad guys are always looking for? Just how prevalent are zero day flaws within their business model? Are zero day flaws crucial for the success of targeted attacks attacks? Let’s debunk seven myths about zero day flaws

More details - link

 

[Jack]

This is exactly my point of view on this subject :

 

[bogdan]

It all depends about what everyone understands "0-day vulnerabilities" to be. If he talks about unknown flaws discovered in a product that can be exploited, he might be right. But unfortunately there are also known flaws with proof-of-concept code available on public sites like Exploit Database or integrated into Metaspoit that anyone can use to produce malicious software but companies ignore for some time. Sure, most malware threats do not use 0-day vulnerabilities and if you install updates regularly you are much safer, but there are some that do and those create significant damage. It took a long time for Microsoft to patch all 0-day vulnerabilities Stuxnet used.

And there is another aspect. In some cases malware doesn't even need to exploit a vulnerability since users are tricked into running the software themselves and they use an administrator account with UAC turned off. They exploit the user