Zero-day software vulnerabilities – security holes that developers haven’t fixed or aren’t aware of – can lurk undetected for years, leaving software users particularly susceptible to hackers. A new study from the RAND Corporation, based on rare access to a dataset of more than 200 such vulnerabilities, provides insights about what entities should do when they discover them. RAND researchers have determined that zero-day vulnerabilities have an average life expectancy – the time between initial private discovery and public disclosure – of 6.9 years. IT security experts from Synopsys, Cylance Inc., prpl Foundation, Lastline, Positive Technologies, Alert Logic, AlienVault and Tenable Network Security commented below.
Mike Ahmadi, Global Director – Critical Systems Security at Synopsys:
Stuart McClure, CEO at Cylance Inc.:
.Art Swift, President at prpl Foundation:
.
.
John Cloonan, Director of Product at Malware Detection Firm Lastline:
“Where I think users are at increased risk is when vulnerabilities carry on for multiple years. Vulnerabilities like the series of long lived and widely publicized ones found in 2014 (including Heartbleed and Shellshock) may or may not have been previously known by individual entities – they are all examples of good ones to have been stockpiled and used as needed. Given the age of the vulnerability plus the number and breadth of the systems impacted, it would not be a stretch to say that anyone with prior knowledge who had weaponized these vulnerabilities had a master key to almost every network.
“In these cases users and organizations were most definitely put at increased risk, because many of the systems that were impacted were no longer supported by the vendor. Home users were either completely unaware or left only with the option to stop using the device (computer, router, etc). In addition, business users had to establish additional controls to mitigate the threat and were left to force hurried upgrades across their network.”
Marco Cova, Senior Security Researcher at Lastline:
The study does some initial work in framing the issue in terms of economics trade-offs: the pricing of exploits, the different values of different exploit type, etc. It would have been interesting here to get more data on how exploits are actually used (how much time after the acquisition, who are the targets, how many times it’s used, etc.), so that one could reason more comprehensively on exploit value vs. patch value. The debate on zero day often describes the acquisition of zero days in term of “stockpiling” (and the RAND study reuses this term), but I’d expect that agencies buy or develop exploits that they actually use: it’s not hoarding but rather acquiring capabilities.
The paper mentions a few times that, yes, different groups will have zero days at their disposal and that those working on defences should look into several directions: patching is one, but one can defend by having better detection capabilities, mitigation, and containment. This sounds like sound advice.”
Craig Young, Security Researcher at Tripwire:
Another big problem with the study is that statistics such as the median time of 22 days to develop an exploit are incredibly misleading because vulnerabilities can be drastically different in terms of exploitation complexity. For example, many of the vulnerabilities I’ve found in consumer embedded devices have been command injection flaws which require just a few minutes to develop an exploit while memory corruption flaws commonly found in web browsers, document readers, and smartphones can take months to produce a reliable exploit. It is also worth noting that on modern computing systems, a single vulnerability is frequently insufficient to gain control of a system unless it is chained with additional vulnerabilities to bypass security mechanisms.
The researchers use this data to support the claim that it is in the best interest for national governments to stockpile vulnerabilities with the argument that it is unlikely that other adversaries have also identified the flaw. I think it is a very bold claim to make based on this very limited data set especially considering that it is very common for multiple researchers to find the same critical vulnerabilities independently. Two very high profile examples of this are the Heartbleed and Stagefright vulnerabilities affecting OpenSSL and Android respectively. In each case, multiple research groups identified the vulnerabilities independently and around the same time. Another more compelling data point however is the high percentage of duplicate vulnerability reports received by bug bounty programs. For example, refer to the Google’s charts from their bug bounty program found here: https://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts/2016 From the top chart on that page (under the heading Traffic), it should be very clear that a large portion of the valid vulnerability reports Google receives are reported by multiple researchers. I have also found this to be the case with other bug bounty programs where I tend to find that 1/3 to 2/3rds of the reports I submit turn out to be previously or subsequently found by another researcher during the short window before the bug gets fixed.
The research also fails to consider the impact of active exploitation on overall ‘bug lifetimes’. After an attacker would start exploiting vulnerabilities against their targets, it is far more likely that someone will become aware of the vulnerability and inform the vendor or produce content for security products to block the attacks.”
Alex Mathews, Lead Security Evangelist at Positive Technologies:
The more interesting info if how 0-days are used. It’s a complicated and expensive work, actually. A sort of “James Bond gadget”. So, if you’re interested in the impact on common users’ security, here is the good news: just a few of them will suffer from real 0-days. Most will suffer from primitive, cheap and well-known vulnerabilities. Our own investigation of digital incidents in 2016 showed that most cybercriminals now use simple methods that are inexpensive to implement, including ready-to-use exploits for known vulnerabilities. After all, why go to the expense of blowing the doors off if they’re not locked in the first place! Namely: simple passwords, outdated software and human desire to open any letter in the mailbox are the main problems.”
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
The fact is that there are so many targets out there with known vulnerabilities, so why go looking for more till you exhaust your options (rinse and repeat what works). When it’s more targeted is a different story (that’s when you bring 1337 team and look for new stuff). Often in targeted attacks you need a combination of approaches which may include social engineering, targeted malware or maybe even some zero day attacks.
We have had experience dealing with vendors where some new discoveries were not taken seriously. We told the vendors that these zero days exist and have not been seen in the past, our researchers were told that they only effect old versions of their hardware and that they didn’t see the need to publish the issues as the upgrade/fix already existed even though the vulnerability had not been highlighted. Needless to say that is not a great response and the potential impact is large even though it affects older systems (we all know how well people manage upgrades).”
Javvad Malik, Security Advocate at AlienVault:
.Gavin Millard, EMEA Technical Director at Tenable Network Security:
“With the recent leaks surrounding activities by nation states and their capabilities, the uncomfortable reality is that the only secure system is a disconnected system and, if the motivation is there, a highly resourced threat actor can gain access to almost any system. For the average consumer though, it isn’t the zero day exploits that will cause an impact, but existing bugs that have been leveraged by cyber criminals for a quick pay off through ransomware or other malicious monetising methods. The best defence for almost everyone is keeping up to date with fixes that have been released by the vendors, as the probability that a zero day being leveraged against them is incredibly low.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.