The Timing and Cost of Zero-Day Vulnerabilities
Since publishing the article on Zero-Day Vulnerability Protection with Privilege Management, there has been a lot of additional press around the September 2012 Microsoft Internet Explorer vulnerability that adds additional insights into this problem. The bottom line is that zero-day vulnerabilities, while not new, continue to be a big problem to organizations.
Time to respond to security threats is crucial and there is some concerning news around the disclosure of this latest Internet Explorer vulnerability. Reviewing the publicly disclosed timeline, we see the following key events:
- September 14, 2012 – Security researcher, Eric Romang, discovered the vulnerability
- September 16, 2012 – Advanced details of the vulnerability are published
- September 17, 2012 – Metaploit publishes a proof of concept exploit of the vulnerability (see video of this exploit in action). That same day, Microsoft release a security advisory and recommended users use the Enhanced Mitigation Experience Toolkit.
- September 18, 2012 – CVE assigns CVE-2012-4969 to this vulnerability.
- September 19, 2012 – Microsoft releases an automated workaround that configures Internet Explorer to run in a secure mode. The fix only worked for 32-bit Internet Explorer.
- September 21, 2012 – Microsoft releases an out of band patch to Internet Explorer to fix the vulnerability.
This timeline could read like many other zero-day vulnerabilities, but there have been some very interesting analyses that have arisen in this flurry of activity. Eric Romang has gone on to analyze Microsoft’s disclosure and the fact that they credited a different researcher for finding the issue. He speculates that the vulnerability could have been known for as long as a month to a year before his disclosure. Vulnerabilities are often found and know to vendors long before patched – this is not new. They queue up the fixes in an orderly fashion to ensure the patches don’t create other security or functionality issues in the software. This is a reasonable approach, but secrets don’t stay secret forever. If you want to go further down the conspiracy theory, read this article on zero-day vulnerabilities and correlations with IPS. The question then becomes, how many other vulnerabilities are known to a few parties and are being actively exploited?
Zero-day vulnerabilities occur on a regular basis, but this one had some interesting reactions. The German government urged the public to temporarily discontinue use Internet Explorer. Microsoft downplayed the vulnerability stating, “We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue.” Eric Romang discovered the vulnerability being actively exploited in the wild and despite Microsoft’s statement researchers have found websites targeting defense and space industries. Microsoft is playing damage control and has a record of improving the security of their software for many years. The challenge is that if your organization is a member of the small number of targeted attacks and such attack is successfully, the impact could be big.
So what does it cost to buy a zero-day vulnerability? In a March 2012 Forbes article, it was estimated that an Internet Explorer or Chrome vulnerability would cost $80,000-$200,000 when sold to government agencies. This dark, but legal world of selling 0-day vulnerabilities to governments may be used as a starting point for costs to criminal organizations. It is difficult to quantify the return on such investment on a zero-day vulnerability, but consider the costs. First, there is the risk (jail and fines) of being caught trying to hack a government agency or company (unless you are a government agency yourself). How much is freedom worth? Second there is the cost of buying the vulnerability as quantified by Forbes. Third, there are costs associated with implementing a vulnerability. If this was a startup investment, a venture capitalist would want 10 times the return or $800,000-$2,000,000. That seems to be a modest value for information retrieved on the latest defense systems or something more easily monetized such as a dump of social security or credit cards as may be the case for criminals.
Arellia continues to see issues with the current reactive model of security built on detection of known threats and patching of known issues. We are still not secure despite much effort to improve the security of software. Microsoft has the biggest target, but look for zero-day vulnerabilities on other major software applications and you will find that all have issues. In our initial article, we looked at the impact of privilege with this recent Internet Explorer vulnerability, but this impact could apply to all software. While privilege management is no silver bullet for better security, it is a big improvement that moves beyond reactive security models. There needs to be a new approach and privilege management is one step in the right direction.
About Arellia: Arellia provides solutions for privilege management, application whitelisting, securing local administrator accounts, and compliance remediation. Arellia products are integrated with the Symantec Management Platform and sold through Symantec.