Vulnerability bounty programs and the growing interest of criminals in the online world have created an army of for-profit vulnerability researchers and an increase in targeted zero-day attacks.
Non-public vulnerabilities and exploit toolkits are for sale, enabling anyone to build these directed attacks, including companies that want to test their compliance levels and defences, writes Chris van Niekerm regional director of McAfee SA.

Discovered vulnerabilities are increasing about 30% annually. Vulnerabilities in Web applications comprised over two-thirds of total vulnerabilities disclosed in the second half of 2005.
Vulnerabilities are also growing in new areas. In the first five months of 2006, more than 80 vulnerabilities in Apple products were disclosed, compared to about 120 for all of 2005 and about 60 for all of 2004. The numbers of Firefox and Mozilla vulnerabilities are also increasing.
Fortunately, as vulnerabilities have increased, vendors’ patch release cycles have shortened, reducing the vulnerability window. In the first half of 2005, the time between a vulnerability’s disclosure and patch availability was 64 days; in the second half of 2005, the window shrank to 49 days. For Windows vulnerabilities, the window in 2005 was 46 days, slightly shorter than the aforementioned industry average. The time between vulnerability disclosure and the availability of an exploit was almost constant in 2005 at around seven days.
The time that companies need to patch systems is falling as well. One study found that the time to patch half of a sample of externally facing systems was about 19 days in the second half of 2005. In 2003, the length was 30 days. This roughly corresponds with a November 2005 study that found 19% of survey respondents took one week or more to patch their systems after the release of a patch. Finally, Oracle joined Microsoft and began a monthly patch-release cycle in 2005. Apple, however, has not yet established a regular patch release cycle.
Several events in the last six months demonstrate the growing market for vulnerabilities and exploits:
* Two for-profit zero-day attacks involved non-public vulnerabilities. One exploited the Internet Explorer WMF vulnerability; the other exploited the Microsoft Word Code Execution vulnerability. The  underground knew of both vulnerabilities and the WMF vulnerability was put up for sale before it was used in an attack.
* In December 2005, an attempt was made to auction an undisclosed Excel vulnerability on eBay. eBay pulled the listing before the auction ended.
* The Zero Day Initiative vulnerability bounty program was launched at the end of 2005, joining iDefense in their efforts to purchase vulnerabilities from independent researchers and work with the affected vendors to fix and disclose them.
* Argeniss Information Security recently launched an exploit toolbox with canned exploits, joining a handful of vendors in this market. Several exploit toolbox vendors offer a two-tiered service that, for a premium, provides zero-day exploits.