Itโs been known for some time that Western government cyber agencies stockpile zero-day vulnerabilities, hoping to find ways of exploiting them in Internet-connected devices of targets. Meanwhile security researchers urge the same governments to quickly release discoveries of these vulnerabilities so they can quickly be patched before criminals and not-so-friendly governments find and and exploit them.
Now a new study suggests keeping quiet may be the better way to protect society because the odds of zero-days being discovered are low.
The study, by the U.S.-based Rand Corporation of a dataset of the history 200 zero-day vulnerabilities and their exploits found between 2002 and 2006, reveals they haveย average shelf life โthe time between initial private discovery and public disclosureโof 6.9 years. In addition, the likelihood of two people finding the same vulnerability โ which researchers call the collision rate โ is approximately 5.7 percent per year.
Those two facts suggestsย the level of protection afforded by disclosing a vulnerability may be modest, arguesย the report, and that keeping quiet aboutโor โstockpilingโโvulnerabilities may be a reasonable option for those looking to both defend their own systems and potentially exploit vulnerabilities in othersโ.
The report has added interest with the release last week by WikiLeaks of an alleged hackingย archive of tools used by the U.S. Central Intelligence Agency (CIA) to leverage exploits in a wide-range of devices.
โTypical โwhite hatโ researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it,โ Lillian Ablon, lead author of the study and an information scientist with Rand, said in a news release. ย โOthers, like system-security-penetration testing firms and โgrey hatโ entities, have incentive to stockpile them. But deciding whether to stockpile or publicly disclose a zero-day vulnerabilityโor its corresponding exploitโis a game of tradeoffs, particularly for governments.โ
โLooking at it from the perspective of national governments, if oneโs adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen oneโs own defense by compelling the affected vendor to implement a patch and protect against the adversary using the vulnerability against them,โ Ablon said. โOn the other hand, publicly disclosing a vulnerability that isnโt known by oneโs adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve. In that case, stockpiling would be the best option.โ
Of the more than 200 zero-day vulnerabilities and exploits that take advantage of them studied almost 40 per cent are still publicly unknown. Twenty-five per cent of vulnerabilities didnโt survive to 1.5 years, while another 25 per cent lived more than 9.5 years.
Once an exploitable vulnerability has been found, time to develop a fully functioning exploit is relatively fast, with a median time of 22 days.
While the average long lifetime of zero-days may supportย ย arguments stockpiling the vulnerabilities, the report also notes that there is still a chance of discovery.ย โSome may argue that, if there is any probability that someone else (especially an adversary) will find the same zero-day vulnerability, then the potentially severe consequences of keeping the zero-day private and leaving a population vulnerable warrant immediate vulnerability disclosure and patch,โ the authors write.
โIn this line of thought, the best decision may be to stockpile only if one is confident that no one else will find the zero-day; disclose otherwise.โ