A new study from RAND Corporation concluded that zero-day vulnerabilities – security flaws that developers haven't got around to patching or aren't aware of – have an average life expectancy of 6.9 years.
The research, based on rare access to a dataset of more than 200 such vulnerabilities, also looked at how frequently the same holes are found by different groups. The rarity of independent discovery and the long half-life of defects means it can make sense for some organisations with a dual offensive and defensive role (intel agencies) to stockpile vulnerabilities, the researchers argue.
The long timeline plus low collision rates – the likelihood of two people finding the same vulnerability (approximately 5.7 per cent per year) –means the level of protection afforded by disclosing a vulnerability may be modest and that keeping quiet about – or "stockpiling" – vulnerabilities may be a reasonable option for those entities looking to both defend their own systems and potentially exploit vulnerabilities in others.
"Typical 'white hat' researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it," said Lillian Ablon, lead author of the study and an information scientist with RAND, a nonprofit research organisation. "Others, like system-security-penetration testing firms and 'grey hat' entities, have incentive to stockpile them. But deciding whether to stockpile or publicly disclose a zero-day vulnerability – or its corresponding exploit – is a game of tradeoffs, particularly for governments."
Of the more than 200 real-world zero-day vulnerabilities and the exploits that take advantage of them analysed by RAND, almost 40 per cent are still publicly unknown.
The study is one of the most comprehensive of its type and its release, just two days after revelations about the CIA's cyber arsenal of hacking tools, is timely. Security pundits were quick to point out that issues such as weak password security, phishing and failure to apply available patches are all far more important risk factors than the "sexy" but somewhat hyped field of zero-day vulnerabilities.
Javvad Malik, security advocate at security dashboard firm AlienVault, commented: "Zero-days aren't so much a concern for average users. Cybercriminals tend to go for tried and tested methods to attack users and have built pretty efficient processes around it, e.g. phishing or ransomware. Larger enterprises such as financial services, critical national infrastructure, and governments are usually the ones that need to factor in zero-days and targeted attacks in their threat model."
Craig Young, security researcher at security tools firm Tripwire, questioned the study's methodology. "This study from RAND is very unscientific for several reasons," he said. "First, they are looking at only 200 vulnerabilities which is a small percentage of the number of vulnerabilities being discovered each year."
The CVE project, which documents just a portion of publicly disclosed vulnerabilities, had 6,435 identifiers released in 2016 plus as many as 3,500 additional identifiers that were assigned but have not yet been revealed publicly. This is in addition to an unknown number of vulnerabilities discovered by hackers with no intention of disclosing them.
"Another big problem with the study is that statistics such as the median time of 22 days to develop an exploit are incredibly misleading because vulnerabilities can be drastically different in terms of exploitation complexity," Young added. ®