Zero-day software vulnerabilities – security holes that developers haven’t fixed or aren’t aware of – can lurk undetected for years, leaving software users particularly susceptible to hackers. A new study from the RAND Corporation, based on rare access to a dataset of more than 200 such vulnerabilities, provides insights about what entities should do when they discover them. RAND researchers have determined that zero-day vulnerabilities have an average life expectancy – the time between initial private discovery and public disclosure – of 6.9 years. IT security experts from Synopsys, Cylance Inc., prpl Foundation, Lastline, Positive Technologies, Alert Logic, AlienVault and Tenable Network Security commented below.
Mike Ahmadi, Global Director – Critical Systems Security at Synopsys:
“The findings of the study are indeed aligned with the work we have done in vulnerability research, and I dare say that the problem is much larger than the recent CIA exposure and the RAND indicate. We regularly find multiple zero day vulnerabilities when testing systems, and hundreds if not thousands of known vulnerabilities, which are, in reality, a much bigger problem, due to the frequent presence of known exploits for such vulnerabilities. Because the user is rarely aware of known vulnerabilities, and often does not patch, it has the same effect as a zero day, with the additional issue of scale. Any vulnerabilities that are not addressed leaves users at risk, and the CIA zero days are no exception.”
Stuart McClure, CEO at Cylance Inc.:
“The public at large has always been vulnerable to zero day attacks, and RAND’s study is just more evidence around how badly. Just like we’ve seen with the stockpile of zero days in the NSA (Snowden) release along with the new CIA Vault 7 release, the offensive actors rely heavily on these secretly discovered holes and backdoors, and work hard to falsely attribute their origins.”
.Art Swift, President at prpl Foundation:
“The irony of these findings is that in the government’s attempt to protect US citizens from cyber attacks, it’s actually exposing them to cyber criminals and nation state attackers in the worst way. By using these flaws and encouraging vendor backdoors, it actually weakens the whole system. There is no such thing as a completely “safe” backdoor. If the government has access, then the secret is already out. Instead it should be encouraging the use of open source with hardware backed security or at the very least getting vendors to fix these flaws.”
John Cloonan, Director of Product at Malware Detection Firm Lastline:
“The notion of vulnerabilities being stockpiled and reused is not new. There have been a few companies whose business model has been finding and weaponizing zero days. To some extent, the process does leave the general user base at increased risk, however as the research shows there is a low probability of multiple researchers identifying the same vulnerability – the risk is limited to those in the crosshairs.
“Where I think users are at increased risk is when vulnerabilities carry on for multiple years. Vulnerabilities like the series of long lived and widely publicized ones found in 2014 (including Heartbleed and Shellshock) may or may not have been previously known by individual entities – they are all examples of good ones to have been stockpiled and used as needed. Given the age of the vulnerability plus the number and breadth of the systems impacted, it would not be a stretch to say that anyone with prior knowledge who had weaponized these vulnerabilities had a master key to almost every network.
“In these cases users and organizations were most definitely put at increased risk, because many of the systems that were impacted were no longer supported by the vendor. Home users were either completely unaware or left only with the option to stop using the device (computer, router, etc). In addition, business users had to establish additional controls to mitigate the threat and were left to force hurried upgrades across their network.”
Marco Cova, Senior Security Researcher at Lastline:
“The most interesting part of the study is their analysis of the collision rate (that is, how frequently the same vulnerability/zero-day is found by different groups). This result does take away some arguments to those who want governmental agencies to unilaterally disclose zero days they control (so that they can be patched): If it’s relatively unlikely that knowledge of a vulnerability is acquired also by third parties (e.g., an unfriendly state), then there’s little risk that that vulnerability is actually exploited, and conversely there’s little benefit in disclosing it and in the consequent patching. Along the same lines, it would seem rational policy to disclose a zero day when there’s evidence that it’s known to third parties.
The study does some initial work in framing the issue in terms of economics trade-offs: the pricing of exploits, the different values of different exploit type, etc. It would have been interesting here to get more data on how exploits are actually used (how much time after the acquisition, who are the targets, how many times it’s used, etc.), so that one could reason more comprehensively on exploit value vs. patch value. The debate on zero day often describes the acquisition of zero days in term of “stockpiling” (and the RAND study reuses this term), but I’d expect that agencies buy or develop exploits that they actually use: it’s not hoarding but rather acquiring capabilities.
The paper mentions a few times that, yes, different groups will have zero days at their disposal and that those working on defences should look into several directions: patching is one, but one can defend by having better detection capabilities, mitigation, and containment. This sounds like sound advice.”
Craig Young, Security Researcher at Tripwire:
“This study from RAND is very unscientific for several reasons. First, they are looking at only 200 vulnerabilities which is a small percentage of the number of vulnerabilities being discovered each year. The CVE project which documents just a portion of publicly disclosed vulnerabilities had 6,435 identifiers released in 2016 plus as many as 3,500 additional identifiers that were assigned but have not yet been revealed publicly. (Many CVEs are never revealed publicly due to constraints on the project and requirements that there is public documentation on the vulnerability.) This is in addition to an unknown number of vulnerabilities discovered by hackers with no intention of disclosing the vulnerabilities.
Another big problem with the study is that statistics such as the median time of 22 days to develop an exploit are incredibly misleading because vulnerabilities can be drastically different in terms of exploitation complexity. For example, many of the vulnerabilities I’ve found in consumer embedded devices have been command injection flaws which require just a few minutes to develop an exploit while memory corruption flaws commonly found in web browsers, document readers, and smartphones can take months to produce a reliable exploit. It is also worth noting that on modern computing systems, a single vulnerability is frequently insufficient to gain control of a system unless it is chained with additional vulnerabilities to bypass security mechanisms.
The researchers use this data to support the claim that it is in the best interest for national governments to stockpile vulnerabilities with the argument that it is unlikely that other adversaries have also identified the flaw. I think it is a very bold claim to make based on this very limited data set especially considering that it is very common for multiple researchers to find the same critical vulnerabilities independently. Two very high profile examples of this are the Heartbleed and Stagefright vulnerabilities affecting OpenSSL and Android respectively. In each case, multiple research groups identified the vulnerabilities independently and around the same time. Another more compelling data point however is the high percentage of duplicate vulnerability reports received by bug bounty programs. For example, refer to the Google’s charts from their bug bounty program found here: https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts/2016 From the top chart on that page (under the heading Traffic), it should be very clear that a large portion of the valid vulnerability reports Google receives are reported by multiple researchers. I have also found this to be the case with other bug bounty programs where I tend to find that 1/3 to 2/3rds of the reports I submit turn out to be previously or subsequently found by another researcher during the short window before the bug gets fixed.
The research also fails to consider the impact of active exploitation on overall ‘bug lifetimes’. After an attacker would start exploiting vulnerabilities against their targets, it is far more likely that someone will become aware of the vulnerability and inform the vendor or produce content for security products to block the attacks.”
Alex Mathews, Lead Security Evangelist at Positive Technologies:
“The number of “stockpiled” 0-day vulnerabilities itself won’t tell you much about the risk levels. Different 0-days are discovered every day. Sometimes, for big money. Sometimes, just for fun. For example, in one of our security contests at Positive Hack Days, about 10 zero-days in real industrial control system software (SCADA) were found in just 2 days. Some of them are already fixed, some not, but it’s hard to do any predictions just because of the existence.
The more interesting info if how 0-days are used. It’s a complicated and expensive work, actually. A sort of “James Bond gadget”. So, if you’re interested in the impact on common users’ security, here is the good news: just a few of them will suffer from real 0-days. Most will suffer from primitive, cheap and well-known vulnerabilities. Our own investigation of digital incidents in 2016 showed that most cybercriminals now use simple methods that are inexpensive to implement, including ready-to-use exploits for known vulnerabilities. After all, why go to the expense of blowing the doors off if they’re not locked in the first place! Namely: simple passwords, outdated software and human desire to open any letter in the mailbox are the main problems.”
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
“Zero days are typically get identified as a need exists, during a pen test or targeted attack. It is no surprise to me that, if you put in a concerted effort to look, you will find significant numbers of vulnerabilities that are not known.
The fact is that there are so many targets out there with known vulnerabilities, so why go looking for more till you exhaust your options (rinse and repeat what works). When it’s more targeted is a different story (that’s when you bring 1337 team and look for new stuff). Often in targeted attacks you need a combination of approaches which may include social engineering, targeted malware or maybe even some zero day attacks.
We have had experience dealing with vendors where some new discoveries were not taken seriously. We told the vendors that these zero days exist and have not been seen in the past, our researchers were told that they only effect old versions of their hardware and that they didn’t see the need to publish the issues as the upgrade/fix already existed even though the vulnerability had not been highlighted. Needless to say that is not a great response and the potential impact is large even though it affects older systems (we all know how well people manage upgrades).”
Javvad Malik, Security Advocate at AlienVault:
“Zero days aren’t so much a concern for average users. Cyber criminals tend to go for tried and tested methods to attack users and have built pretty efficient processes around it, e.g. phishing or ransomware. Larger enterprises such as financial services, critical national infrastructure, and governments are usually the ones that need to factor in zero days and targeted attacks in their threat model.”
.Gavin Millard, EMEA Technical Director at Tenable Network Security:
“It’s shouldn’t be a surprise to anyone within the security industry that well funded researchers can, and do, discover previously unknown vulnerabilities that could be stockpiled for use against a high value target. What’s interesting in the study released by the RAND organisation though, is the significant time lag between the initial discovery of a vulnerability that has been hoarded by a researcher and the rediscovery by a researcher who takes the more righteous and common approach disclosing publicly.
“With the recent leaks surrounding activities by nation states and their capabilities, the uncomfortable reality is that the only secure system is a disconnected system and, if the motivation is there, a highly resourced threat actor can gain access to almost any system. For the average consumer though, it isn’t the zero day exploits that will cause an impact, but existing bugs that have been leveraged by cyber criminals for a quick pay off through ransomware or other malicious monetising methods. The best defence for almost everyone is keeping up to date with fixes that have been released by the vendors, as the probability that a zero day being leveraged against them is incredibly low.”