The security industry came across an unprecedented number of zero-day vulnerabilities in 2015.
That is just one of the findings of the 2016 Internet Security Threat Report, an annual study published by Symantec that provides an overview and analysis of the previous year in global threat activity.
"There was an unprecedented 54 zero-day vulnerabilities found throughout 2015, more than doubling the number found in the previous year," the security firm explains in its report. "Discovering unknown vulnerabilities and figuring out how to exploit them has clearly become a go-to technique for advanced attackers, and there is no sign of this trend changing."
In 2014, security researchers observed 24 zero-day vulnerabilities, which marked a four percent uptick compared to the previous year (23 vulnerabilities).
The vulnerabilities accounted for in Symantec’s report include flaws that were exploited by hackers who left footprints as well as bugs that came to light via other means, such as last summer’s Hacking Team leaks.
Most of the security issues found in 2015 targeted well known software. For example, 10 zero-day vulnerabilities attacked Adobe Flash. Those bugs made up approximately 80 percent of last year’s exploited zero-days, which along with the discovery of other flaws might help to explain why several web browsers no longer support Flash and why Adobe itself decided to rebrand Flash Professional as Animate CC.
Other vulnerabilities targeted Microsoft products, the Android operating system, open-source software, and industrial control systems.
Even so, there is some good news.
"While there were more zero-day vulnerabilities disclosed in 2015, some were proof-of-concept, but vendors were generally quicker to provide fixes in 2015 than in 2014," the security company notes.
Specifically, while the average time of exposure for a zero-day vulnerability in 2014 was 295 days, it was just a week in 2015.
Even more promising, while it took most vendors close to two months (59 days) to patch a zero-day vulnerability in 2014, it took companies just one day a year later.
"The motivations behind such attacks are not clear, and could range from geopolitical disputes to ransom-related attacks," the report reads. "Regardless, if not monitored carefully, such attacks could have serious consequences in the future, and it doesn’t look likely to go away anytime soon."
For more information on the last year's threat activity, please read Symantec's report.