Vulnerabilities / Threats

04:40 PM
Connect Directly

Stockpiling 0-Day Bugs Not So Dangerous After All, RAND Study Shows

A RAND Corp. study of more than 200 zero-days shows that benefits of disclosure can often be more modest than perceived.

The practice by US intelligence agencies and presumably of other governments to stockpile zero-day vulnerabilities for use in offensive cyber operations may not always pose as much of a risk to general technology users as once thought.

In fact, the tactical and strategic benefits that governments can gain from stockpiling vulnerabilities sometimes outweigh the security benefits of public disclosure, according to a new report by RAND Corp.

The report is based on a study of more than 200 zero-day flaws obtained from a vulnerability research group, many of whose members have worked for nation-state actors. The group, which RAND calls BUSBY to protect its anonymity, has also supplied exploits to nation-state actors, according to the think-tank.

RAND’s study revealed that arguments for or against the stockpiling of zero-days for defensive purposes like penetration testing or for use against adversaries, are not always clear-cut.

One major contention against stockpiling zero-days is that adversaries often may have knowledge about the same vulnerabilities, and therefore keeping the flaws secret would prevent the software from being patched, resulting in needless risks for users.

The recent dump of the CIA's malware arsenal and exploit kits on WikiLeaks and the similar leak of the US National Security Agency (NSA) confidential hacking tools last year raised considerable concerns about government stockpiles of zero-day flaws in widely used network and security products. Some have argued the intelligence agencies have a responsibility to American business and citizens to disclose discovery of such flaws so technology users can be better protected.

But The RAND study showed that concerns about an overlap between US vulnerability stockpiles and those maintained by others are likely overstated.

For one thing, most zero-day vulnerabilities typically remain undetected for a long time. Based on the dataset that the RAND researchers inspected, the average life expectancy of a zero-day vulnerability—or the time between when it was first discovered privately and when it was publicly disclosed—is 6.9 years.

During that period, the chances of another researcher finding that exact same flaw were relatively low, at around 5.7% per year.

While that number is not insignificant, it also means the chances of two people finding the same zero-day flaw is lower that many might perceive. As a result, the gains from publicly disclosing a zero-day flaw may not be all that significant a majority of the time, the RAND report said.

"Looking at it from the perspective of national governments, if one's adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one's own defense," said Lillian Albion, lead author of the RAND report and information scientist. "On the other hand, publicly disclosing a vulnerability that isn’t known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability," while still retaining their own.

Albion says that conversations with researchers show that in a majority of instances, vulnerabilities are discovered due to code churn - and less often by another vulnerability researcher performing a code audit.

"None we spoke to believed that their vulnerabilities or exploits died or were discovered due to use by a customer in some operational campaign, or by information leakage," such as those by WikiLeaks or Shadow Brokers, Albion says.

In general, black hats and cybercriminals tend to focus more on known vulnerabilities rather than 0-day flaws, she says. "Only a very small portion of the black markets deals with zero-day vulnerabilities and exploits—which have little value for mass market malware, much less ordinary cybercrime."

The RAND study also unearthed some other interesting nuggets. For instance, of the more than 200 vulnerabilities that RAND inspected, about 40% remain undisclosed. Fully functioning exploits for zero-day flaws tend to get developed very quickly with a median time of 22-days.

About 25% of all zero-day flaws get discovered within 18 months, while another 25% live on for more than nine years on average. Significantly, there were no specific characteristic or marker to indicate the longevity of a zero-day bug.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
City of Atlanta Hit with Ransomware Attack
Dark Reading Staff 3/23/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.