Minerva Studio - Fotolia

Report on zero-day vulnerabilities highlights shelf life, overlap

News roundup: Report on zero-day vulnerabilities questions government stockpiling. Plus, Comey talks encryption and privacy, FCC blocks consumer protection rule, and more.

A new study of zero-day vulnerabilities offers some evidence that discovering these flaws and their exploits really is like finding needles in a haystack.

The report from the RAND Corporation, titled "Zero Days, Thousands of Nights," is based on a data set of more than 200 zero-day exploits. Driven by the debate over whether governments should stockpile zero-day vulnerabilities or disclose them to be patched, RAND researchers Lillian Ablon and Andy Bogart looked into the mortality of zero days -- including "life statuses," lifespans and characteristics associated with lifespans -- as well as the likelihood of discovering a zero-day within a certain timeframe and how long it then takes to develop an exploit for the vulnerability.

"There is an ongoing policy debate of whether the U.S. government -- or any government -- should retain so-called zero-day software vulnerabilities or disclose them so they can be patched," wrote Ablon and Bogart in the report. "The debate of whether to retain or disclose these vulnerabilities is often fueled by how much overlap there might be between the zero-day vulnerabilities or exploits the U.S. government keeps and those its adversaries are stockpiling."

Ablon and Bogart set out to learn more about the lifespan and possible overlap of zero-day exploits. They highlighted five key findings in the report.

The first finding is that the standard classification of a zero-day vulnerability as either being alive or dead -- publicly unknown or publicly known, respectively -- is too black and white. The realistic life statuses of these vulnerabilities are more complicated, Ablon and Bogart claimed, and there are also "zombie" vulnerabilities that are alive in one version of a product but dead in another. "And because of the dynamic nature of vulnerabilities, something exploitable one day may not be the next (and vice versa)," the report noted.

The second discovery highlighted in the report is the average lifespan of a zero-day exploit. The average life expectancy of a zero-day exploit is 6.9 years or 2,521 days after its initial discovery. "The relatively long life expectancy of 6.9 years means that zero-day vulnerabilities -- in particular the ones that exploits are created for gray, or government, market use -- are likely old," according to the report. On the other sides of the spectrum, only 25% of vulnerabilities live less than 1.51 years, and only 25% live more than 9.5 years.

Despite the variations in life expectancy, the study also found that there were no characteristics that indicated whether a zero-day would have a relatively long or short life. Ablon and Bogart researched the types of vulnerabilities, the affected platforms, the type of source code and the type of exploit class, but, "no characteristic statistically stood out as a 'smoking gun' that might indicate a short or long life."

Aiming to answer whether stockpiling zero-day vulnerabilities is worthwhile, the researchers asked, "what is the likelihood of another party discovering a zero-day vulnerability within a given time period?" The result of this area of study was somewhat more complicated than the others because the likelihood that two unrelated researchers would discover the same zero-day vulnerability varied based on the length of time examined.  For example, over the course of one year, approximately 5.76% of zero days were discovered by more than one party. When that time period was upped to 14 years, 40% of zero days had been discovered by more than one party.

Finally, the research found that once a zero-day vulnerability was discovered, it took an average of 22 days to find an exploit for it.

Based on all of their findings, Albon and Bogart analyzed whether it's a good idea for governments to stockpile zero-day vulnerabilities and exploits. "The best decision may be to stockpile only if one is confident that no one else will find the zero-day," they wrote. "Disclose otherwise."

In other news

  • FBI Director James Comey this week gave the keynote address at the Boston Conference on Cyber Security in which he identified himself as a fan of encryption and privacy -- but with stipulations. Comey said that since the Snowden revelations in 2013, it's gotten harder for the FBI to do its job because encryption is a default on more devices. "I'll give you a statistic to demonstrate it," he said. "In October, November and December [of 2016], the FBI received ...  2,800 devices for which we had lawful authority to open. And these were devices that were seized by state and local law enforcement or by the FBI. 1,200 of those devices -- about 43% -- we could not open with any technique." Despite that, Comey said he values both security and privacy. "In our great country, all of us have a reasonable expectation of privacy in our homes, in our cars, in our devices. It is a vital part of being an American. The government cannot invade our privacy without good reason, reviewable in court. That's the heart of America. But it also means that with good reason, reviewable in court, that law enforcement can invade our private spaces. That's the bargain of ordered liberty." While Comey said he loves privacy -- he referenced his personal Instagram account with about nine followers -- and cites the FBI's internal use and appreciation of encryption, it should not be the default option and available to anyone. "Widespread default encryption changes that bargain. In my view, it shatters the bargain ... I love privacy, but I also love and live by the bargain."
  • A rule that would prevent internet service providers from selling user data by default was temporarily blocked by the Federal Communications Commission (FCC) on Mar. 1, and now some members of the U.S. Congress are moving to get rid of the rule all together. The rule was put forward in 2016 by the Obama administration and would have forced internet service providers like Verizon, Comcast and AT&T to obtain consent from users before selling their data to advertisers or other third parties. Customers would have to opt-in to allow their ISP to sell data such as their browsing history, geolocation data, health information and financial information. FCC chairman Ajit Pai blocked the rule the day before it was supposed to take effect. On March 7, Sen. Jeff Flake (R-Ariz) --backed by 34 other senators -- introduced a resolution to completely undo the rule. ISPs have been against the rule, while consumer advocates are for it.
  • Both Google and Microsoft have increased their bug bounty rewards. Google's changes are permanent and reflect the challenges involved with identifying vulnerabilities. "Because high severity vulnerabilities have become harder to identify over the years, researchers have needed more time to find them," Josh Armour, Google's security program manager, wrote in a blog post. "We want to demonstrate our appreciation for the significant time researchers dedicate to our program, and so we're making some changes." Google will now reward $31,337 for remote code execution vulnerabilities instead of $20,000 and $13,337 for unrestricted file system or database access vulnerabilities instead of $10,000. Microsoft's bug bounty rewards will only increase for three months, between March 1, 2017, and May 1, 2017. During this time, any vulnerability found in Microsoft Office 365 Portal and Microsoft Exchange Online will be worth $1,000 to $30,000 depending on the severity -- which is double the usual amount offered.
  • Consumer Reports, a nonprofit group that rates a variety of consumer-focused products, is starting to consider cybersecurity and privacy concerns when it rates products. This change in its scoring system is largely due to the increase in internet of things (IoT) vulnerabilities and attacks. These attacks have happened in home routers and internet-connected medical devices while the exploitable vulnerabilities are also found in webcams and any IoT device. As Reuters reported, "security researchers have said the attacks are likely to continue because there is little incentive for manufacturers to spend on securing connected devices." This move to rate products based on cybersecurity and privacy will potentially provide much-needed motivation for manufacturers to include cybersecurity and privacy controls in the devices they produce.

Next Steps

Learn some ways to address zero-day attacks in the enterprise

Read about the responsible disclosure debate over CIA documents

Find out more about the rise of zero-day vulnerabilities

Dig Deeper on Risk management