RAND study examines 200 real-world “Zero-Day” software vulnerabilities

“Looking at it from the perspective of national governments, if one’s adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one’s own defense by compelling the affected vendor to implement a patch and protect against the adversary using the vulnerability against them,” Ablon said. “On the other hand, publicly disclosing a vulnerability that isn’t known by one’s adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve. In that case, stockpiling would be the best option.”

Of the more than 200 real-world zero-day vulnerabilities and the exploits that take advantage of them analyzed by RAND, almost 40 percent are still publicly unknown.Ablon and co-author Andy Bogart were able to determine that 25 percent of vulnerabilities do not survive to 1.5 years and only 25 percent live more than 9.5 years. No vulnerability characteristics indicated a long or short life. However, future analyses may want to examine more closely Linux versus other platform types, the similarity of open and closed source code, and type of exploit class.

The study examined what proportion of zero-day vulnerabilities are alive (publicly unknown), dead (publicly known), or somewhere in between. But boiling the argument down to whether vulnerability is “alive” versus “dead” is too simplistic and could create a barrier for vulnerability-detection efforts, Ablon said. A vulnerability may be classified as “immortal” if it’s one that will remain in a product in perpetuity because the vendor no longer maintains the code or issues updates.

Vulnerabilities that are publicly known are often disclosed with a security advisory or patch, but in other cases, developers or vulnerability researchers post online about a vulnerability without issuing a security advisory. Other vulnerabilities are quasi-alive – “zombies” – because, due to code revisions, they can be exploited in older versions of a product.

Once an exploitable vulnerability has been found, a fully functioning exploit may be developed quickly, with a median time of twenty-two days. That means any serious attacker can likely obtain an affordable zero-day for almost any target, given the typical life expectancies of these vulnerabilities and the short development time. However, most of the price for those wishing to purchase such a zero-day exploit from a developer is driven not by labor but by its inherent value, lack of supply and other factors.

— Read more in Lillian Ablon and Timothy Bogart, Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and their Exploits (RAND, 2017)