Zero-day software vulnerabilities revealed

A new study by RAND Corporation has uncovered zero-day software vulnerabilities and gives insight into what organisations should do when they discover them.

The study is the first publicly available research to examine vulnerabilities that are still currently unknown to the public.

Based on a dataset of more than 200 vulnerabilities, RAND researchers have determined that they have an average life expectancy (the time between initial private discovery and public disclosure) of 6.9 years.

This means that the level of protection afforded by disclosing vulnerability may be modest and that keeping quiet about, or ‘stockpiling’, vulnerabilities may be a reasonable option for those entities looking to both defend their own systems and potentially exploit vulnerabilities in others.

“Typical ‘white hat’ researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it,” said Lillian Ablon, lead author of the study and an information scientist with RAND.

“Others, like system-security-penetration testing firms and ‘grey hat’ entities, have incentive to stockpile them. But deciding whether to stockpile or publicly disclose a zero-day vulnerability — or its corresponding exploit — is a game of trade-offs, particularly for governments.”

People who know about these weaknesses may create ‘exploits’, or code that takes advantage of that vulnerability to access other parts of a system, execute their own code, act as an administrator or perform some other action. One famous example is the Stuxnet worm, which relied on four Microsoft zero-day vulnerabilities to compromise Iran’s nuclear program.

“Looking at it from the perspective of national governments, if one’s adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one’s own defence by compelling the affected vendor to implement a patch and protect against the adversary using the vulnerability against them,” Ablon said.

“On the other hand, publicly disclosing a vulnerability that isn’t known by one’s adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve. In that case, stockpiling would be the best option.”

Of the more than 200 real-world zero-day vulnerabilities and the exploits that take advantage of them analysed by RAND, almost 40% are still publicly unknown. Ablon and co-author Andy Bogart were able to determine that 25% of vulnerabilities do not survive to 1.5 years and only 25% live more than 9.5 years. No vulnerability characteristics indicated a long or short life.

The study examined what proportion of zero-day vulnerabilities are alive (publicly unknown), dead (publicly known) or somewhere in between. But boiling the argument down to whether vulnerability is ‘alive’ or ‘dead’ is too simplistic and could create a barrier for vulnerability-detection efforts, according to Ablon. A vulnerability may be classified as ‘immortal’ if it is one that will remain in a product in perpetuity because the vendor no longer maintains the code or issues updates.

Vulnerabilities that are publicly known are often disclosed with a security advisory or patch, but in other cases, developers or vulnerability researchers post online about a vulnerability without issuing a security advisory. Other vulnerabilities are quasi-alive — ‘zombies’ — because, due to code revisions, they can be exploited in older versions of a product.

Once an exploitable vulnerability has been found, a fully functioning exploit may be developed quickly, with a median time of 22 days. That means any serious attacker can likely obtain an affordable zero-day for almost any target, given the typical life expectancies of these vulnerabilities and the short development time. However, most of the price for those wishing to purchase such a zero-day exploit from a developer is driven not by labour but by its inherent value, lack of supply and other factors.

Image credit: ©stock.adobe.com/au/tashatuvango

Follow us on Twitter and Facebook