Security holes known as zero-day vulnerabilities can lie dormant for up to 10 years, a study has suggested.
And this means that hackers have plenty of time to develop sophisticated exploits for a range of software.
The study, from research organisation Rand, looked at 200 security flaws, 40% of which are not yet publicly known.
It comes as documents from Wikileaks suggest the CIA has collected a portfolio of zero-day vulnerabilities.
The study suggests:
- 25% of vulnerabilities become publicly known within one and a half years
- 25% remain undiscovered for more than nine and a half years
- Vulnerabilities that are publicly known are often disclosed with a patch
- Once a vulnerability is found, an exploit can be developed in an average of 22 days