It’s been known for some time that Western government cyber agencies stockpile zero-day vulnerabilities, hoping to find ways of exploiting them in Internet-connected devices of targets. Meanwhile security researchers urge the same governments to quickly release discoveries of these vulnerabilities so they can quickly be patched before criminals and not-so-friendly governments find and and exploit them.
Now a new study suggests keeping quiet may be the better way to protect society because the odds of zero-days being discovered are low.
The study, by the U.S.-based Rand Corporation of a dataset of the history 200 zero-day vulnerabilities and their exploits found between 2002 and 2006, reveals they have average shelf life —the time between initial private discovery and public disclosure—of 6.9 years. In addition, the likelihood of two people finding the same vulnerability — which researchers call the collision rate — is approximately 5.7 percent per year.
Those two facts suggests the level of protection afforded by disclosing a vulnerability may be modest, argues the report, and that keeping quiet about—or “stockpiling”—vulnerabilities may be a reasonable option for those looking to both defend their own systems and potentially exploit vulnerabilities in others’.
The report has added interest with the release last week by WikiLeaks of an alleged hacking archive of tools used by the U.S. Central Intelligence Agency (CIA) to leverage exploits in a wide-range of devices.
“Typical ‘white hat’ researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it,” Lillian Ablon, lead author of the study and an information scientist with Rand, said in a news release. “Others, like system-security-penetration testing firms and ‘grey hat’ entities, have incentive to stockpile them. But deciding whether to stockpile or publicly disclose a zero-day vulnerability—or its corresponding exploit—is a game of tradeoffs, particularly for governments.”
“Looking at it from the perspective of national governments, if one’s adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one’s own defense by compelling the affected vendor to implement a patch and protect against the adversary using the vulnerability against them,” Ablon said. “On the other hand, publicly disclosing a vulnerability that isn’t known by one’s adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve. In that case, stockpiling would be the best option.”
Of the more than 200 zero-day vulnerabilities and exploits that take advantage of them studied almost 40 per cent are still publicly unknown. Twenty-five per cent of vulnerabilities didn’t survive to 1.5 years, while another 25 per cent lived more than 9.5 years.
Once an exploitable vulnerability has been found, time to develop a fully functioning exploit is relatively fast, with a median time of 22 days.
While the average long lifetime of zero-days may support arguments stockpiling the vulnerabilities, the report also notes that there is still a chance of discovery. “Some may argue that, if there is any probability that someone else (especially an adversary) will find the same zero-day vulnerability, then the potentially severe consequences of keeping the zero-day private and leaving a population vulnerable warrant immediate vulnerability disclosure and patch,” the authors write.
“In this line of thought, the best decision may be to stockpile only if one is confident that no one else will find the zero-day; disclose otherwise.”