- The software vendor can uncover the vulnerability itself through a code review. They'll (hopefully) fix it, and provide a patch to customers. Other than finding the flaw during development, this is one of the best ways these things are found.
- A security researcher (customer, or someone) will find the flaw and report it to the software vendor, who will then (hopefully) provide a patch at the time the flaw is disclosed to customers.
- A security researcher finds the flaw, and announces the flaw to the world on a security mailing list, or blog post. Sometimes they'll publish exploit code at the same time, sometimes not. This is generally a bad way for the rest of the world to learn of the flaw, as software vendors have to scramble to develop the patch and everyone who uses the software is at risk of being attacked in the meantime.
- That brings us to the worst ways such vulnerabilities are found, at least for the general computing and Internet community. The software security hole is found by a black hat, cyber-criminal, or state-sponsored researcher. The flaw could be sold on the black market to other criminals to be used in their attacks. Or, in the case of state-sponsored attackers and organized crime, the flaw could be tucked away for later use in their attack arsenal.
We will usually only learn of the last category when it's used in an attack that is made public, such as Aurora. That's, presumably, how Microsoft first learned of the flaws in its security advisory 979352, when it said that it is "investigating reports of limited, targeted attacks against customers of Internet Explorer 6, using a vulnerability in Internet Explorer."
In its acknowledgments section, Microsoft thanked Google, security firm Mandiant, Adobe, and McAfee for help and for providing details of the attack.
How many software flaws are discovered as zero-days under active attack? We know of plenty of zero-day attacks when the software vulnerability is disclosed publicly first, and attack code follows before the patch is published. But public disclosure of attacks in which a previously unknown (to the public or the software vendor) vulnerability is exploited are rare.
Research director at Spire Security, Pete Lindstrom, maintains a list that has 21 such vulnerabilities (he calls them undercover vulnerabilities) since 1988. The Open Source Vulnerability Database has 87 vulnerabilities categorized as "Discovered in the Wild."
Considering thousands of ordinary software security vulnerabilities are discovered every year, that's not very many. The National Vulnerability Database, as of today, has 40,408 vulnerabilities with more added every day. Divide 87 by 40,408 and you get a very small number.
Despite the relative handful of "undercover vulnerabilities and exploits" discovered in the wild -that we know of - we still have no idea if such vulnerabilities are discovered in this way with much more frequency. And that's a shame.
Lindstrom says the times he's approached software vendors about how certain vulnerabilities were uncovered, he hasn't managed to get very far. "While I have not executed an all-out full-court press on vendors, the times I did ask for follow-up to see how the vulnerability was discovered resulted in somewhat ambiguous answers about having "no information" or "disclosure agreements" that prevent any discussion about them," he wrote.
I asked Lindstrom in an e-mail exchange how important it would be to have more precise tracking of these incidents. Here's his reply:
These vulnerabilities are the most serious there are because they are already actively being exploited. Conventional wisdom suggests it is much more common than we hear about. The OSVDB shows 87 total with 18 in each of the past two years. It is difficult to assess exactly how common it is - that is part of the problem. We need to determine the extent of the problem to properly assess the effectiveness of existing controls.
I have requested meetings with Microsoft twice in the past and both times hit a stone wall - they refused to meet with me.
I agree completely that more data would be helpful. We'd know how often these sorts of attacks occur, and have a better idea what security defenses worked, which didn't, and why. The problem is getting good data, and I just do not see (beyond mandating forced reporting of certain attacks) how that's going to happen.
That's why we will probably live in mystery, when it comes to undercover vulnerabilities and exploits discovered in-the-wild, for some time to come. That only helps our adversaries.