(Refiles April 11 story to add dropped words in fifth paragraph)
By Joseph Menn
SAN FRANCISCO (Reuters) - The number of previously unknown software flaws used by hackers more than doubled last year, a new report says, in another sign of the increasing sophistication of cybercrime and online espionage.
Secret vulnerabilities in computer programs are especially prized by criminal gangs, law enforcement and spies because software vendors have not been warned and so cannot publish fixes.
In 2015, 54 such holes came to light and were deployed by hackers, according to a report published on Monday by the largest security software vendor, Symantec Corp. That is up dramatically from 24 the year before and 23 the year before that; the next-highest total over the past 10 years was 15 in 2007.
Symantec’s total of “zero-day” or unknown vulnerabilities includes both flaws that were discovered because they were used by top-flight hackers who left tracks and those that were revealed to the public at the same time as the software maker.
In 2015, electronic files from a company named “Hacking Team” were dumped on the Internet, including six zero-days that criminals quickly made use of.
Thousands of other flaws were identified as usual last year by vendors, outside researchers, and government agencies. The vendors develop and issue patches, either announcing the flaws or pointing to them by virtue of the fixes.
Since criminals and others immediately take advantage of flaws to reach into unfixed machines, users must patch rapidly and completely or face being hacked.
Though most attacks happen because of inadequate patching, the rapid spread of new flaws through “exploit kits” sold in underground forums has allowed zero-days to be obtained by more people, including those installing ransomware and programs for stealing financial logins.
Four of the five most-used zero-day vulnerabilities last year were in Adobe Systems Inc’s Flash software, which can be used as a standalone program or a plug-in for various Web browsers, not all of which automatically update with Flash patches. Symantec said it expected Flash to become less popular as platforms stop supporting it, making it less of a bonanza for hackers.
Adobe said it had improved its security response. “Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers,” the company said via email.
“With regards to zero-days, we’ve been able to expedite the patching process to just days.”
Reporting by Joseph Menn; Editing by Andrew Hay