Study examines 200 real-world 'zero-day' software vulnerabilities

March 9, 2017, RAND Corporation

Zero-day software vulnerabilities - security holes that developers haven't fixed or aren't aware of - can lurk undetected for years, leaving software users particularly susceptible to hackers. A new study from the RAND Corporation, based on rare access to a dataset of more than 200 such vulnerabilities, provides insights about what entities should do when they discover them.

Until now the big question - whether governments or anyone should publicly disclose or keep quiet about the vulnerabilities - has been difficult to answer because so little is known about how long zero-day vulnerabilities remain undetected or what percentage of them are eventually found by others.

The RAND study is the first publicly available research to examine vulnerabilities that are still currently unknown to the public. The research establishes initial baseline metrics that can augment other studies that have relied on manufactured data, findings only from publicly known vulnerabilities, or expert opinion.

Based on the dataset, RAND researchers have determined that zero-day vulnerabilities have an - the time between initial private discovery and public disclosure - of 6.9 years. That long timeline plus low collision rates - the likelihood of two people finding the same vulnerability (approximately 5.7 percent per year) - means the level of protection afforded by disclosing a vulnerability may be modest and that keeping quiet about - or "stockpiling" - vulnerabilities may be a reasonable option for those entities looking to both defend their own systems and potentially exploit vulnerabilities in others'.

"Typical 'white hat' researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it," said Lillian Ablon, lead author of the study and an information scientist with RAND, a nonprofit research organization. "Others, like system-security-penetration testing firms and 'grey hat' entities, have incentive to stockpile them. But deciding whether to stockpile or publicly disclose a zero-day vulnerability - or its corresponding exploit - is a game of tradeoffs, particularly for governments."

People who know about these weaknesses may create "exploits," or code that takes advantage of that vulnerability to access other parts of a system, execute their own code, act as an administrator or perform some other action. One famous example is the Stuxnet worm, which relied on four Microsoft zero-day vulnerabilities to compromise Iran's nuclear program.

"Looking at it from the perspective of national governments, if one's adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one's own defense by compelling the affected vendor to implement a patch and protect against the adversary using the vulnerability against them," Ablon said. "On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve. In that case, stockpiling would be the best option."

Of the more than 200 real-world zero-day vulnerabilities and the exploits that take advantage of them analyzed by RAND, almost 40% are still publicly unknown. Ablon and co-author Andy Bogart were able to determine that 25 percent of vulnerabilities do not survive to 1.5 years and only 25 percent live more than 9.5 years. No vulnerability characteristics indicated a long or short life. However, future analyses may want to examine more closely Linux versus other platform types, the similarity of open and closed source code, and type of exploit class.

The study examined what proportion of zero-day vulnerabilities are alive (publicly unknown), dead (publicly known), or somewhere in between. But boiling the argument down to whether vulnerability is "alive" versus "dead" is too simplistic and could create a barrier for vulnerability-detection efforts, Ablon said. A vulnerability may be classified as "immortal" if it's one that will remain in a product in perpetuity because the vendor no longer maintains the code or issues updates.

Vulnerabilities that are publicly known are often disclosed with a security advisory or patch, but in other cases, developers or vulnerability researchers post online about a vulnerability without issuing a security advisory. Other vulnerabilities are quasi-alive - "zombies" - because, due to code revisions, they can be exploited in older versions of a product.

Once an exploitable has been found, a fully functioning exploit may be developed quickly, with a median time of 22 days. That means any serious attacker can likely obtain an affordable zero-day for almost any target, given the typical life expectancies of these vulnerabilities and the short development time. However, most of the price for those wishing to purchase such a zero-day exploit from a developer is driven not by labor but by its inherent value, lack of supply and other factors.

Funding for the study, "Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and their Exploits," was provided by philanthropic contributions from RAND supporters, income from operations, and from the RAND Institute for Civil Justice, dedicated to improving the civil justice system by supplying policymakers and the public with rigorous and nonpartisan research. Its studies identify trends in litigation and inform policy choices about liability, compensation, regulation, risk management and insurance.

Explore further: Research on browser weaknesses triggers attacks

Related Stories

Research on browser weaknesses triggers attacks

July 30, 2008

IBM's X-Force says cyber-criminals are using public research on Web browser weaknesses to launch attacks before most users are even aware of their vulnerability. The mid-year report from the security group indicates that ...

NSC backs disclosing software vulnerabilities

April 13, 2014

Disclosing vulnerabilities in commercial and open source software is in the national interest and shouldn't be withheld from the public unless there is a clear national security or law enforcement need, President Barack Obama's ...

Recommended for you

After a reset, Сuriosity is operating normally

February 23, 2019

NASA's Curiosity rover is busy making new discoveries on Mars. The rover has been climbing Mount Sharp since 2014 and recently reached a clay region that may offer new clues about the ancient Martian environment's potential ...

Study: With Twitter, race of the messenger matters

February 23, 2019

When NFL player Colin Kaepernick took a knee during the national anthem to protest police brutality and racial injustice, the ensuing debate took traditional and social media by storm. University of Kansas researchers have ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.