Zero-day vulnerabilities have become not only a major threat in the software security world but also a major industry, with many selling for large sums on the black market and entire firms emerging that are dedicated solely to finding and profiting off of exploits in the gray market. But while the sense of this threat is distinct, many people in the software world may not have a complete picture of how many vulnerabilities are actually out there and to what extent private research firms, in particular, are succeeding at turning up flaws in vendors' products. A recent study from Stefan Frei, a researcher at NSS Labs, sought to quantify the number of issues that are actually active in the wild.
How many vulnerabilities are there?
Looking over reports from vendors such as ReVuln, VUPEN, Endgame Systems and Exodus Intelligence which find and resell exploits, Frei concluded that these firms alone have the ability to offer more than 100 exploits to the market each year. According to a 2012 Symantec study, the average zero-day vulnerability goes unpatched for 312 days, which means that there are at least 85 privately known vulnerabilities available at any given time.
Additionally, Frei analyzed data from vulnerability purchase programs like iDefense's Vulnerability Contributor Program and TippingPoint's Zero Day Initiative. He found that over the history of these programs, the average vulnerability remained private – known to the program and vendors but not published or patched – for 153 days. On any given day from 2010 to 2012, these "privileged groups" had "exclusive access" to an average of 152 "known unknown" vulnerabilities across all vendors and 58 vulnerabilities in Microsoft, Apple, Oracle, Sun or Adobe products specifically. The average time to disclosure was 187 days, or 151 days for the top five vendors.
"Since the VCP and ZDI programs use this information only for the purpose of building better protection for their customers, and since they share the information with the software vendors in order to develop and release patches, the overall risk is comparatively low," Frei wrote. "This analysis, however, clearly demonstrates that critical vulnerability information is available in significant quantities for private groups, for extended periods and at a relatively low cost."
Getting a handle on vulnerabilities
This data only encompasses part of the white market – which also would include companies' own bug bounty programs – and the gray market. As a result, "it is almost certainly a conservative estimate," security expert Brian Krebs wrote in a blog post. More vulnerabilities are inevitably lurking in the wilds of the black market, where teams like the one behind the Blackhole exploit kit are spending hundreds of thousands of dollars, or being developed by commercial security consultancies. Nonetheless, the number of threats Frei identified probably goes far beyond what many executives are aware of.
"So everybody knows there are zero days, but when we talk to C-level executives, very often we find that these guys don't have a clue, because they tell us, 'Yeah, but we've never been compromised'," Frei told Krebs. "And we always ask them, 'How do you know?'"
The bottom line is that, at a minimum, hundreds of unpatched zero-day vulnerabilities are already known and in some private party's hands. Furthermore, they are continuing to go unpatched for months, whether the people aware are actively looking to fix them or actively looking to sell or exploit them. For software vendors, this information is a sobering reminder that more precautions are necessary to avoid releasing products with software security errors as much as possible.
Frei recommended more companies "take advantage of crowd sourcing via the establishment of a bug bounty program." Such efforts are growing in popularity, and, in some instances, companies are even helping to sponsor bug bounties for open source products. Vendors can also benefit from using tools like static analysis software to scan for bugs prior to release, while a carefully implemented peer code review program can leverage the knowledge of experts throughout the company in catching faulty code and flawed program components. Given the state of the zero-day economy and the number of threats constantly lingering in the background, companies can benefit from minimizing the number of vulnerabilities that actually make their way into production.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.