Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:15 PM
George V. Hulme
George V. Hulme

How Many (Sub) Zero-Day Attacks?

We now know that one of the vectors used in the series of attacks against U.S. businesses was a zero-day vulnerability in Internet Explorer. Apparently, the way most of the world learned of this particular flaw was when it was actually used in these attacks. That's some powerful form of "disclosure," but how common is it?

We now know that one of the vectors used in the series of attacks against U.S. businesses was a zero-day vulnerability in Internet Explorer. Apparently, the way most of the world learned of this particular flaw was when it was actually used in these attacks. That's some powerful form of "disclosure," but how common is it?We will probably never know unless software vendors start publicly disclosing how they learn of their software security flaws. A security flaw, such as that used in the attack against Google, can be uncovered several ways:

- The software vendor can uncover the vulnerability itself through a code review. They'll (hopefully) fix it, and provide a patch to customers. Other than finding the flaw during development, this is one of the best ways these things are found.

- A security researcher (customer, or someone) will find the flaw and report it to the software vendor, who will then (hopefully) provide a patch at the time the flaw is disclosed to customers.

- A security researcher finds the flaw, and announces the flaw to the world on a security mailing list, or blog post. Sometimes they'll publish exploit code at the same time, sometimes not. This is generally a bad way for the rest of the world to learn of the flaw, as software vendors have to scramble to develop the patch and everyone who uses the software is at risk of being attacked in the meantime.

- That brings us to the worst ways such vulnerabilities are found, at least for the general computing and Internet community. The software security hole is found by a black hat, cyber-criminal, or state-sponsored researcher. The flaw could be sold on the black market to other criminals to be used in their attacks. Or, in the case of state-sponsored attackers and organized crime, the flaw could be tucked away for later use in their attack arsenal.

We will usually only learn of the last category when it's used in an attack that is made public, such as Aurora. That's, presumably, how Microsoft first learned of the flaws in its security advisory 979352, when it said that it is "investigating reports of limited, targeted attacks against customers of Internet Explorer 6, using a vulnerability in Internet Explorer."

In its acknowledgments section, Microsoft thanked Google, security firm Mandiant, Adobe, and McAfee for help and for providing details of the attack.

How many software flaws are discovered as zero-days under active attack? We know of plenty of zero-day attacks when the software vulnerability is disclosed publicly first, and attack code follows before the patch is published. But public disclosure of attacks in which a previously unknown (to the public or the software vendor) vulnerability is exploited are rare.

Research director at Spire Security, Pete Lindstrom, maintains a list that has 21 such vulnerabilities (he calls them undercover vulnerabilities) since 1988. The Open Source Vulnerability Database has 87 vulnerabilities categorized as "Discovered in the Wild."

Considering thousands of ordinary software security vulnerabilities are discovered every year, that's not very many. The National Vulnerability Database, as of today, has 40,408 vulnerabilities with more added every day. Divide 87 by 40,408 and you get a very small number.

Despite the relative handful of "undercover vulnerabilities and exploits" discovered in the wild -that we know of - we still have no idea if such vulnerabilities are discovered in this way with much more frequency. And that's a shame.

Lindstrom says the times he's approached software vendors about how certain vulnerabilities were uncovered, he hasn't managed to get very far. "While I have not executed an all-out full-court press on vendors, the times I did ask for follow-up to see how the vulnerability was discovered resulted in somewhat ambiguous answers about having "no information" or "disclosure agreements" that prevent any discussion about them," he wrote.

I asked Lindstrom in an e-mail exchange how important it would be to have more precise tracking of these incidents. Here's his reply:

These vulnerabilities are the most serious there are because they are already actively being exploited. Conventional wisdom suggests it is much more common than we hear about. The OSVDB shows 87 total with 18 in each of the past two years. It is difficult to assess exactly how common it is - that is part of the problem. We need to determine the extent of the problem to properly assess the effectiveness of existing controls.

I have requested meetings with Microsoft twice in the past and both times hit a stone wall - they refused to meet with me.

I agree completely that more data would be helpful. We'd know how often these sorts of attacks occur, and have a better idea what security defenses worked, which didn't, and why. The problem is getting good data, and I just do not see (beyond mandating forced reporting of certain attacks) how that's going to happen.

That's why we will probably live in mystery, when it comes to undercover vulnerabilities and exploits discovered in-the-wild, for some time to come. That only helps our adversaries.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally ...
PUBLISHED: 2020-08-05
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD),,, and is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...