Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:40 PM
Connect Directly

Stockpiling 0-Day Bugs Not So Dangerous After All, RAND Study Shows

A RAND Corp. study of more than 200 zero-days shows that benefits of disclosure can often be more modest than perceived.

The practice by US intelligence agencies and presumably of other governments to stockpile zero-day vulnerabilities for use in offensive cyber operations may not always pose as much of a risk to general technology users as once thought.

In fact, the tactical and strategic benefits that governments can gain from stockpiling vulnerabilities sometimes outweigh the security benefits of public disclosure, according to a new report by RAND Corp.

The report is based on a study of more than 200 zero-day flaws obtained from a vulnerability research group, many of whose members have worked for nation-state actors. The group, which RAND calls BUSBY to protect its anonymity, has also supplied exploits to nation-state actors, according to the think-tank.

RAND’s study revealed that arguments for or against the stockpiling of zero-days for defensive purposes like penetration testing or for use against adversaries, are not always clear-cut.

One major contention against stockpiling zero-days is that adversaries often may have knowledge about the same vulnerabilities, and therefore keeping the flaws secret would prevent the software from being patched, resulting in needless risks for users.

The recent dump of the CIA's malware arsenal and exploit kits on WikiLeaks and the similar leak of the US National Security Agency (NSA) confidential hacking tools last year raised considerable concerns about government stockpiles of zero-day flaws in widely used network and security products. Some have argued the intelligence agencies have a responsibility to American business and citizens to disclose discovery of such flaws so technology users can be better protected.

But The RAND study showed that concerns about an overlap between US vulnerability stockpiles and those maintained by others are likely overstated.

For one thing, most zero-day vulnerabilities typically remain undetected for a long time. Based on the dataset that the RAND researchers inspected, the average life expectancy of a zero-day vulnerability—or the time between when it was first discovered privately and when it was publicly disclosed—is 6.9 years.

During that period, the chances of another researcher finding that exact same flaw were relatively low, at around 5.7% per year.

While that number is not insignificant, it also means the chances of two people finding the same zero-day flaw is lower that many might perceive. As a result, the gains from publicly disclosing a zero-day flaw may not be all that significant a majority of the time, the RAND report said.

"Looking at it from the perspective of national governments, if one's adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one's own defense," said Lillian Albion, lead author of the RAND report and information scientist. "On the other hand, publicly disclosing a vulnerability that isn’t known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability," while still retaining their own.

Albion says that conversations with researchers show that in a majority of instances, vulnerabilities are discovered due to code churn - and less often by another vulnerability researcher performing a code audit.

"None we spoke to believed that their vulnerabilities or exploits died or were discovered due to use by a customer in some operational campaign, or by information leakage," such as those by WikiLeaks or Shadow Brokers, Albion says.

In general, black hats and cybercriminals tend to focus more on known vulnerabilities rather than 0-day flaws, she says. "Only a very small portion of the black markets deals with zero-day vulnerabilities and exploits—which have little value for mass market malware, much less ordinary cybercrime."

The RAND study also unearthed some other interesting nuggets. For instance, of the more than 200 vulnerabilities that RAND inspected, about 40% remain undisclosed. Fully functioning exploits for zero-day flaws tend to get developed very quickly with a median time of 22-days.

About 25% of all zero-day flaws get discovered within 18 months, while another 25% live on for more than nine years on average. Significantly, there were no specific characteristic or marker to indicate the longevity of a zero-day bug.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...