Hackers Exploit Software Bugs For 10 Months On Average Before They're Exposed
Symantec's chart shows a distribution of zero-day exploits based on how long they persist before being discovered. The average is close to 10 months. (Click to enlarge.)
Software vendors are constantly on the watch for so-called “zero day” vulnerabilities–flaws in their code that hackers find and exploit before the first day companies become aware of them. But the term “zero-day” doesn’t capture just how early hackers’ head-starts often are: Day zero, it seems, often lasts more than 300 days.
That’s one of the findings of a broad study of hackers’ zero-day exploits by two researchers at the antivirus firm Symantec that they plan to present at the Association for Computing Machinery’s Computer and Communications Security conference in Raleigh, North Carolina this week. Leyla Bilge and Tudor Dumitra used data collected from 11 million PCs running Symantec’s antivirus software to correlate a catalogue of zero-day attacks with malware found on those machines. Using that retrospective analysis, they found 18 attacks that represented zero-day exploits between February 2008 and March of 2010, only seven of which were previously known to have been exploited prior to their public discovery. And most disturbingly, they found that those attacks continued 312 days on average–up to 2.5 years in some cases–before the security community became aware of them.
“In fact, 60% of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought—perhaps more than twice as many,” the researchers write. And they add that their estimate for the average time to discovery of those vulnerabilities may be conservative, too. “While the average duration is approximately 10 months, the fact that all but one of the vulnerabilities disclosed after 2010 remained unknown for more than 16 months suggests that we may be underestimating the duration of zero-day attacks.”
One aspect of zero-day exploits use that’s made them tough to track and count has been how closely targeted they are. Unlike the mass malware infections that typically infect many thousands of machines using known vulnerabilties, the majority of the exploits in Symantec’s study only affected a handful of machines–All but four of the exploits infected less than 100 targets, and four were found on only one computer.
That careful use of zero-day exploits, often reserved for stealthy espionage tactics rather than credit-card harvesting or other for-profit crime, reflects their price. As I reported earlier this year based on conversations with brokers of zero-day exploit code, a single zero-day exploit can cost as much as $250,000, and the fees are often paid in installments based on the vulnerability remaining secret and unpatched.
Unsurprisingly, the study shows that hackers target common software like Microsoft Word, Flash and Adobe Reader. Sixteen of the 18 zero-day exploits discovered and analyzed in the study affected Microsoft and Adobe software.
Symantec's study shows that hackers grab onto new exploits, using them hundreds or thousands of times more often, around the time of their revelation to the public. (Click to enlarge.)
Once a certain vulnerability does come to public light, Symantec’s study shows that hackers quickly pile on to exploit the flaw before it can be fixed by the software’s vendor. In some cases tracked by Symantec, a single exploit jumped from a handful of cases to tens of thousands within days of a bug’s disclosure. (See chart at left.)
Those findings lend some numbers to an issue that’s been a subject of fiery debate in the security community: Whether security researchers should expose vulnerabilities they find to the public or report them privately to the company whose software is affected. Broadcasting bugs to the public, a strategy researchers have labelled “full disclosure,” leads to that spike in attacks before users have access to secure software, as Symantec’s study shows. But in other cases, researchers argue that companies don’t have an incentive to patch bugs reported to them until their users are at risk of being widely attacked. In August, for instance, Oracle waited until thousands of users had been attacked via a bug in its Java program before patching it, despite the fact that Polish researchers had reported the flaw to Oracle four months earlier.
One clear conclusion of Symantec’s study, regardless of that full-disclosure debate, is the value of the benevolent hackers who find and report bugs in software before they’re exploited. Without someone to dig them up and demand they be fixed, those hackable flaws are far more common, and remain secret far longer, than anyone may have realized.