Vulnerabilities / Threats
04:40 PM
Connect Directly

Stockpiling 0-Day Bugs Not So Dangerous After All, RAND Study Shows

A RAND Corp. study of more than 200 zero-days shows that benefits of disclosure can often be more modest than perceived.

The practice by US intelligence agencies and presumably of other governments to stockpile zero-day vulnerabilities for use in offensive cyber operations may not always pose as much of a risk to general technology users as once thought.

In fact, the tactical and strategic benefits that governments can gain from stockpiling vulnerabilities sometimes outweigh the security benefits of public disclosure, according to a new report by RAND Corp.

The report is based on a study of more than 200 zero-day flaws obtained from a vulnerability research group, many of whose members have worked for nation-state actors. The group, which RAND calls BUSBY to protect its anonymity, has also supplied exploits to nation-state actors, according to the think-tank.

RAND’s study revealed that arguments for or against the stockpiling of zero-days for defensive purposes like penetration testing or for use against adversaries, are not always clear-cut.

One major contention against stockpiling zero-days is that adversaries often may have knowledge about the same vulnerabilities, and therefore keeping the flaws secret would prevent the software from being patched, resulting in needless risks for users.

The recent dump of the CIA's malware arsenal and exploit kits on WikiLeaks and the similar leak of the US National Security Agency (NSA) confidential hacking tools last year raised considerable concerns about government stockpiles of zero-day flaws in widely used network and security products. Some have argued the intelligence agencies have a responsibility to American business and citizens to disclose discovery of such flaws so technology users can be better protected.

But The RAND study showed that concerns about an overlap between US vulnerability stockpiles and those maintained by others are likely overstated.

For one thing, most zero-day vulnerabilities typically remain undetected for a long time. Based on the dataset that the RAND researchers inspected, the average life expectancy of a zero-day vulnerability—or the time between when it was first discovered privately and when it was publicly disclosed—is 6.9 years.

During that period, the chances of another researcher finding that exact same flaw were relatively low, at around 5.7% per year.

While that number is not insignificant, it also means the chances of two people finding the same zero-day flaw is lower that many might perceive. As a result, the gains from publicly disclosing a zero-day flaw may not be all that significant a majority of the time, the RAND report said.

"Looking at it from the perspective of national governments, if one's adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one's own defense," said Lillian Albion, lead author of the RAND report and information scientist. "On the other hand, publicly disclosing a vulnerability that isn’t known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability," while still retaining their own.

Albion says that conversations with researchers show that in a majority of instances, vulnerabilities are discovered due to code churn - and less often by another vulnerability researcher performing a code audit.

"None we spoke to believed that their vulnerabilities or exploits died or were discovered due to use by a customer in some operational campaign, or by information leakage," such as those by WikiLeaks or Shadow Brokers, Albion says.

In general, black hats and cybercriminals tend to focus more on known vulnerabilities rather than 0-day flaws, she says. "Only a very small portion of the black markets deals with zero-day vulnerabilities and exploits—which have little value for mass market malware, much less ordinary cybercrime."

The RAND study also unearthed some other interesting nuggets. For instance, of the more than 200 vulnerabilities that RAND inspected, about 40% remain undisclosed. Fully functioning exploits for zero-day flaws tend to get developed very quickly with a median time of 22-days.

About 25% of all zero-day flaws get discovered within 18 months, while another 25% live on for more than nine years on average. Significantly, there were no specific characteristic or marker to indicate the longevity of a zero-day bug.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.