Zero-day software vulnerabilities can lurk undetected for years, leaving software users particularly susceptible to hackers. A new study from the RAND Corporation, based on rare access to a dataset of more than 200 such vulnerabilities, provides insights about what entities should do when they discover them.
Until now the big question - whether governments or anyone should publicly disclose or keep quiet about the vulnerabilities - has been difficult to answer because so little is known about how long zero-day vulnerabilities remain undetected or what percentage of them are eventually found by others.
The RAND study is the first publicly available research to examine vulnerabilities that are still currently unknown to the public. The research establishes initial baseline metrics that can augment other studies that have relied on manufactured data, findings only from publicly known vulnerabilities, or expert opinion.
Based on the dataset, RAND researchers have determined that zero-day vulnerabilities have an average life expectancy - the time between initial private discovery and public disclosure - of 6.9 years. That long timeline plus low collision rates - the likelihood of two people finding the same vulnerability (approximately 5.7 percent per year) - means the level of protection afforded by disclosing a vulnerability may be modest and that keeping quiet about - or ‘stockpiling’ - vulnerabilities may be a reasonable option for those entities looking to both defend their own systems and potentially exploit vulnerabilities in others'.
"Typical 'white hat' researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it," said Lillian Ablon, lead author of the study and an information scientist with RAND, a nonprofit research organization. "Others, like system-security-penetration testing firms and 'grey hat' entities, have incentive to stockpile them. But deciding whether to stockpile or publicly disclose a zero-day vulnerability - or its corresponding exploit - is a game of tradeoffs, particularly for governments."
People who know about these weaknesses may create exploits, or code that takes advantage of that vulnerability to access other parts of a system, execute their own code, act as an administrator or perform some other action. One famous example is the Stuxnet worm, which relied on four Microsoft zero-day vulnerabilities to compromise Iran's nuclear program.
"Looking at it from the perspective of national governments, if one's adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one's own defense by compelling the affected vendor to implement a patch and protect against the adversary using the vulnerability against them," Ablon said. "On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve. In that case, stockpiling would be the best option."
Of the more than 200 real-world zero-day vulnerabilities and the exploits that take advantage of them analyzed by RAND, almost 40 percent are still publicly unknown. Ablon and co-author Andy Bogart were able to determine that 25 percent of vulnerabilities do not survive to 1.5 years and only 25 percent live more than 9.5 years. No vulnerability characteristics indicated a long or short life. However, future analyses may want to examine more closely Linux versus other platform types, the similarity of open and closed source code, and type of exploit class.
The study examined what proportion of zero-day vulnerabilities are alive (publicly unknown), dead (publicly known), or somewhere in between. But boiling the argument down to whether a vulnerability is alive versus dead is too simplistic and could create a barrier for vulnerability-detection efforts, Ablon said. A vulnerability may be classified as ‘immortal’ if it's one that will remain in a product in perpetuity because the vendor no longer maintains the code or issues updates.
Vulnerabilities that are publicly known are often disclosed with a security advisory or patch, but in other cases, developers or vulnerability researchers post online about a vulnerability without issuing a security advisory. Other vulnerabilities are quasi-alive – ‘zombies’ - because, due to code revisions, they can be exploited in older versions of a product.
Once an exploitable vulnerability has been found, a fully functioning exploit may be developed quickly, with a median time of 22 days. That means any serious attacker can probably obtain an affordable zero-day for almost any target, given the typical life expectancies of these vulnerabilities and the short development time. However, the price for those wishing to purchase such a zero-day exploit from a developer is driven not by labor but by its inherent value, lack of supply and other factors.
Funding for the study, ‘Zero-days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and their Exploits,’ was provided by philanthropic contributions from RAND supporters, income from operations, and from the RAND Institute for Civil Justice.
Industry comments
Mike Ahmadi, global director – critical systems security at Synopsys:
“The findings of the study are indeed aligned with the work we have done in vulnerability research, and I dare say that the problem is much larger than the recent CIA exposure and the RAND indicate. We regularly find multiple zero-day vulnerabilities when testing systems, and hundreds if not thousands of known vulnerabilities, which are, in reality, a much bigger problem, due to the frequent presence of known exploits for such vulnerabilities. Because the user is rarely aware of known vulnerabilities, and often does not patch, it has the same effect as a zero day, with the additional issue of scale. Any vulnerabilities that are not addressed leaves users at risk, and the CIA zero-days are no exception.”
Stuart McClure, CEO, Cylance Inc.:
"The public at large has always been vulnerable to zero-day attacks, and RAND's study is just more evidence around how badly. Just like we've seen with the stockpile of zero-days in the NSA (Snowden) release along with the new CIA Vault 7 release, the offensive actors rely heavily on these secretly discovered holes and backdoors, and work hard to falsely attribute their origins."
Art Swift, president, prpl Foundation:
“The irony of these findings is that in the government’s attempt to protect US citizens from cyber attacks, it’s actually exposing them to cyber criminals and nation state attackers in the worst way. By using these flaws and encouraging vendor backdoors, it weakens the whole system. There is no such thing as a completely ‘safe’ backdoor. If the government has access, then the secret is already out. Instead it should be encouraging the use of open source with hardware backed security or at the very least getting vendors to fix these flaws.”
John Cloonan, director of product at malware detection firm Lastline:
“The notion of vulnerabilities being stockpiled and reused is not new. There have been a few companies whose business model has been finding and weaponizing zero days. To some extent, the process does leave the general user base at increased risk, however as the research shows there is a low probability of multiple researchers identifying the same vulnerability - the risk is limited to those in the crosshairs.
“Where I think users are at increased risk is when vulnerabilities carry on for multiple years. Vulnerabilities like the series of long lived and widely publicized ones found in 2014 (including Heartbleed and Shellshock) may or may not have been previously known by individual entities - they are all examples of good ones to have been stockpiled and used as needed. Given the age of the vulnerability plus the number and breadth of the systems impacted, it would not be a stretch to say that anyone with prior knowledge who had weaponized these vulnerabilities had a master key to almost every network.
“In these cases users and organizations were most definitely put at increased risk, because many of the systems that were impacted were no longer supported by the vendor. Home users were either completely unaware or left only with the option to stop using the device (computer, router, etc). In addition, business users had to establish additional controls to mitigate the threat and were left to force hurried upgrades across their network.”
Craig Young, security researcher at Tripwire:
“This study from RAND is very unscientific for several reasons. First, they are looking at only 200 vulnerabilities which is a small percentage of the number of vulnerabilities being discovered each year. The CVE project which documents just a portion of publicly disclosed vulnerabilities had 6,435 identifiers released in 2016 plus as many as 3,500 additional identifiers that were assigned but have not yet been revealed publicly. (Many CVEs are never revealed publicly due to constraints on the project and requirements that there is public documentation on the vulnerability.) This is in addition to an unknown number of vulnerabilities discovered by hackers with no intention of disclosing the vulnerabilities.
“Another big problem with the study is that statistics such as the median time of 22 days to develop an exploit are incredibly misleading because vulnerabilities can be drastically different in terms of exploitation complexity. For example, many of the vulnerabilities I’ve found in consumer embedded devices have been command injection flaws which require just a few minutes to develop an exploit while memory corruption flaws commonly found in web browsers, document readers, and smartphones can take months to produce a reliable exploit. It is also worth noting that on modern computing systems, a single vulnerability is frequently insufficient to gain control of a system unless it is chained with additional vulnerabilities to bypass security mechanisms.
“The researchers use this data to support the claim that it is in the best interest for national governments to stockpile vulnerabilities with the argument that it is unlikely that other adversaries have also identified the flaw. I think it is a very bold claim to make based on this very limited data set especially considering that it is very common for multiple researchers to find the same critical vulnerabilities independently. Two very high profile examples of this are the Heartbleed and Stagefright vulnerabilities affecting OpenSSL and Android respectively. In each case, multiple research groups identified the vulnerabilities independently and around the same time. Another more compelling data point however is the high percentage of duplicate vulnerability reports received by bug bounty programs. For example, refer to the Google’s charts from their bug bounty program found here. From the top chart on that page (under the heading Traffic), it should be very clear that a large portion of the valid vulnerability reports Google receives are reported by multiple researchers. I have also found this to be the case with other bug bounty programs where I tend to find that 1/3 to 2/3rds of the reports I submit turn out to be previously or subsequently found by another researcher during the short window before the bug gets fixed.
“The research also fails to consider the impact of active exploitation on overall ‘bug lifetimes’. After an attacker would start exploiting vulnerabilities against their targets, it is far more likely that someone will become aware of the vulnerability and inform the vendor or produce content for security products to block the attacks.”
Alex Mathews, lead security evangelist at Positive Technologies:
“The number of ‘stockpiled’ zero-day vulnerabilities itself won't tell you much about the risk levels. Different zero-days are discovered every day. Sometimes, for big money. Sometimes, just for fun. For example, in one of our security contests at Positive Hack Days, about 10 zero-days in real industrial control system software (SCADA) were found in just two days. Some of them are already fixed, some not, but it's hard to do any predictions just because of the existence.
The more interesting information is how zero-days are used. It's a complicated and expensive work, actually. A sort of ‘James Bond gadget’. So, if you're interested in the impact on common users' security, here is the good news: just a few of them will suffer from real zero-days. Most will suffer from primitive, cheap and well-known vulnerabilities. Our own investigation of digital incidents in 2016 showed that most cybercriminals now use simple methods that are inexpensive to implement, including ready-to-use exploits for known vulnerabilities. After all, why go to the expense of blowing the doors off if they’re not locked in the first place! Namely: simple passwords, outdated software and human desire to open any letter in the mailbox are the main problems.”
Oliver Pinson-Roxburgh, EMEA director at Alert Logic:
“Zero-days typically get identified as a need exists, during a pen test or targeted attack. It is no surprise to me that, if you put in a concerted effort to look, you will find significant numbers of vulnerabilities that are not known.
“The fact is that there are so many targets out there with known vulnerabilities, so why go looking for more till you exhaust your options (rinse and repeat what works). When it’s more targeted is a different story (that’s when you bring 1337 team and look for new stuff). Often in targeted attacks you need a combination of approaches which may include social engineering, targeted malware or maybe even some zero-day attacks.
“We have had experience dealing with vendors where some new discoveries were not taken seriously. We told the vendors that these zero-days exist and have not been seen in the past, our researchers were told that they only effect old versions of their hardware and that they didn’t see the need to publish the issues as the upgrade/fix already existed even though the vulnerability had not been highlighted. Needless to say that is not a great response and the potential impact is large even though it affects older systems (we all know how well people manage upgrades).”
Marco Cova, Senior Security Researcher at Lastline:
“The most interesting part of the study is their analysis of the collision rate (that is, how frequently the same vulnerability/zero-day is found by different groups). This result does take away some arguments to those who want governmental agencies to unilaterally disclose zero-days they control (so that they can be patched): If it's relatively unlikely that knowledge of a vulnerability is acquired also by third parties (e.g., an unfriendly state), then there's little risk that that vulnerability is actually exploited, and conversely there's little benefit in disclosing it and in the consequent patching. Along the same lines, it would seem rational policy to disclose a zero-day when there's evidence that it's known to third parties.
“The study does some initial work in framing the issue in terms of economics trade-offs: the pricing of exploits, the different values of different exploit type, etc. It would have been interesting here to get more data on how exploits are actually used (how much time after the acquisition, who are the targets, how many times it's used, etc.), so that one could reason more comprehensively on exploit value vs. patch value. The debate on zero-day often describes the acquisition of zero-days in term of ‘stockpiling’ (and the RAND study reuses this term), but I'd expect that agencies buy or develop exploits that they actually use: it's not hoarding but rather acquiring capabilities.
“The paper mentions a few times that, yes, different groups will have zero-days at their disposal and that those working on defences should look into several directions: patching is one, but one can defend by having better detection capabilities, mitigation, and containment. This sounds like sound advice.”
Javvad Malik, Security Advocate at AlienVault:
“Zero-days aren’t so much a concern for average users. Cyber criminals tend to go for tried and tested methods to attack users and have built pretty efficient processes around it, e.g. phishing or ransomware. Larger enterprises such as financial services, critical national infrastructure, and governments are usually the ones that need to factor in zero-days and targeted attacks in their threat model.”
Gavin Millard, EMEA Technical Director, Tenable Network Security:
“It’s shouldn’t be a surprise to anyone within the security industry that well funded researchers can, and do, discover previously unknown vulnerabilities that could be stockpiled for use against a high value target. What’s interesting in the study released by the RAND organization though, is the significant time lag between the initial discovery of a vulnerability that has been hoarded by a researcher and the rediscovery by a researcher who takes the more righteous and common approach disclosing publicly.
“With the recent leaks surrounding activities by nation states and their capabilities, the uncomfortable reality is that the only secure system is a disconnected system and, if the motivation is there, a highly resourced threat actor can gain access to almost any system. For the average consumer though, it isn’t the zero-day exploits that will cause an impact, but existing bugs that have been leveraged by cyber criminals for a quick pay off through ransomware or other malicious monetising methods. The best defence for almost everyone is keeping up to date with fixes that have been released by the vendors, as the probability that a zero-day being leveraged against them is incredibly low.”
