Software vulnerabilities from two popular commercial zero-day brokerage houses give cyber-criminals and nation-state attackers advance access to as many as 100 software exploits on any given day, according to data released by NSS Labs.
After studying 10 years of data from HP’s Zero Day Initiative (ZDI) and Verisign’s iDefense — two companies that pioneered the business of purchasing exclusive rights to zero-day vulnerability information — NSS Labs came to the startling discovery that “privileged groups” have access to at least 58 unpatched vulnerabilities targeting products from Microsoft, Apple, Oracle and Adobe.
“These groups have access to critical information that would allow them to compromise all vulnerable systems without the public ever having knowledge of the threats,” said NSS Labs research director Stefan Frei.
In a report titled The Known Unknowns, Frei said the research found that these vulnerabilities remain private — and unpatched — for an average of 151 days, providing a wide open window for cyber-criminals and APT groups to launch targeted attacks against consumers and businesses.
The data in the NSS Labs does not take into account additional programs that sell exploits and vulnerability data to governments and other buyers.
According to Frei, these companies are offering zero-day vulnerabilities for subscription fees that are well within the budget of a determined hacker group. He provided an example of a subscription package of 25 zero-days per year selling in the range of US$2.5 million.
“This has broken the monopoly that nation-states historically have held regarding ownership of the latest cyber-weapon technology,” he said. “Jointly, half a dozen boutique exploit providers have the capacity to offer more than 100 exploits per year,’ Frei added.
Frei also acknowledged that the true number is considerably higher than has been estimated since many groups in possession of zero-day flaw information have to incentive to coordinate and share data with affected software vendors.
In the case of ZDI and iDefense VCP (Vulnerability Purchasing Program), Frei found that the two companies purchased 2,392 vulnerabilities between 2002 and 2013.
“It is significant that the average time from vulnerability purchase to public disclosure is 133 days for VCP and 174 days for ZDI,” Frei said, nothing that this is a lengthy period of time for a process of coordinated disclosure.
“It is clear that vulnerabilities acquired by cyber-criminals or by government agencies remain unknown to the public for extended period of time,” he added.
In the report, NSS Labs noted that these bug bounty programs do not purchase all vulnerabilities offered by researchers. This means that the majority of vulnerabilities purchased are rated as “highly critical” and affect products that are widely deployed.
“This poses a significant risk to enterprises and to society,” the company warned.
Related: Bug Bounty Programs More Cost-Effective Than Hiring Security Experts
Exclusive Podcast:Vupen CEO Chaouki Bekrar Addresses Zero Day Marketplace Controversy
Related Podcast:The Story Behind Microsoft’s Bug Bounty Program
Ryan is the host of the podcast series “Security Conversations – a podcast with Ryan Naraine”. He is the head of Kaspersky Lab’s Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.Previous Columns by Ryan Naraine:Bug Bounty Flaws Remain Unpatched for 151 Days: StudyGoogle Blocks Fraudulent Certificates Used by French GovernmentTechnology Controls Against APTs Not Working: StudyPodcast: Qualys CTO Wolfgang Kandek on Vulnerabilities in the BrowserAndroid Flaw Allows Rogue Apps to Disable Passcodes