The zero-day exploit market is secretive. People as a whole tend to fear what they don’t understand and substitute fact with speculation. While very few facts about the zero-day exploit market are publicly available, there are many facts about zero-days that are available. When those facts are studied it becomes clear that the legitimate zero-day exploit market presents an immeasurably small risk (if any), especially when viewed in contrast with known risks.
Many news outlets, technical reporters, freedom of information supporters, and even security experts have used the zero-day exploit market to generate Fear Uncertainty and Doubt (FUD). While the concept of a zero-day exploit seems ominous reality is actually far less menacing. People should be significantly more worried about vulnerabilities that exist in public domain than those that are zero-day. The misrepresentations about the zero-day market create a dangerous distraction from the very real issues at hand.
One of the most common misrepresentations is that the zero-day exploit market plays a major role in the creation of malware and malware’s ability to spread. Not only is this categorically untrue but the Microsoft Security Intelligence Report (SIRv11) provides clear statistics that show that malware almost never uses zero-day exploits. According to SIRv11, less than 6% of malware infections are actually attributed to the exploitation of general vulnerabilities. Of those successful infections nearly all target known and not zero-day vulnerabilities.
Malware targets and exploits gullibility far more frequently than technical vulnerabilities. The “ILOVEYOU” worm is a prime example. The worm would email its self to a victim with a subject of “I LOVE YOU” and an attachment titled “LOVE-LETTER-FOR-YOU.txt.vbs”. The attachment was actually a copy of the worm. When a person attempted to read the attachment they would inadvertently run the copy and infect their own computer. Once infected the worm would begin the process again and email copies of its self to the first 50 email addresses in the victims address book. This technique of exploiting gullibility was so successful that in the first 10 days over 50 million infections were reported. Had people spent more time educating each other about the risks of socially augmented technical attacks then the impact may have been significantly reduced.
The Morris worm is an example of a worm that did exploit zero-day vulnerabilities to help its spread. The Morris was created in 1988 and proliferated by exploiting multiple zero-day vulnerabilities in various Internet connectable services. The worm was not intended to be malicious but ironically a design flaw caused it to malfunction, which resulted in a Denial of Service condition of the infected systems. The Morris worm existed well before zero-day exploit market was even a thought thus proving that both malware and zero-day exploits will exist with or without the market. In fact, there is no evidence that shows the existence of any relationship between the legitimate zero-day exploit market and the creation of malware, there is only speculation.
Despite these facts, prominent security personalities have argued that the zero-day exploit market keeps people at risk by preventing the public disclosure of zero-day vulnerabilities. Bruce Schneier wrote, “a disclosed vulnerability is one that – at least in most cases – is patched”. His opinion is both assumptive and erroneous yet shared by a large number of security professionals. Reality is that when a vulnerability is disclosed it is unveiled to both ethical and malicious parties. Those who are responsible for applying patches don’t respond as quickly as those with malicious intent.
According to SIRv11, 99.88% of all compromises were attributed to the exploitation of known (publicly disclosed) and not zero-day vulnerabilities. Of those vulnerabilities over 90% had been known for more than one year. Only 0.12% of compromises reported were attributed to the exploitation of zero-day vulnerabilities. Without the practice of public disclosure or with the responsible application of patches the number of compromises identified in SIRv11 would have been significantly reduced.
The Verizon 2012 Data Breach Investigations Report (DBIR) also provides some interesting insight into compromises. According to DBIR 97% of breaches were avoidable through simple or intermediate controls (known / detectable vulnerabilities, etc.), 92% were discovered by a third party and 85% took two weeks or more to discover. These statistics further demonstrate that networks are not being managed responsibly. People, and not the legitimate zero-day exploit market, are keeping themselves at risk by failing to responsibly address known vulnerabilities. A focus on zero-day defense is an unnecessary distraction for most.
Another issue is the notion that security researchers should give their work away for free. Initially it was risky for researchers to notify vendors about security flaws in their technology. Some vendors attempted to quash the findings with legal threats and others would treat researchers with such hostility that it would drive the researchers to the black market. Some vendors remain hostile even today, but most will happily accept a researchers hard work provided that its delivered free of charge. To us the notion that security researchers should give their work away for free is absurd.
Programs like ZDI and what was once iDefense (acquired by VeriSign) offer relatively small bounties to researchers who provide vulnerability information. When a new vulnerability is reported these programs notify their paying subscribers well in advance of the general public. They do make it a point to work with the manufacturer to close the hole but only after they’ve made their bounty. Once the vendors have been notified (and ideally a fix created) public disclosure ensues in the form of an email-based security advisory that is sent to various email lists. At that point, those who have not applied the fix are at a significantly increased level of risk.
Companies like Google and Microsoft are stellar examples of what software vendors should do with regards to vulnerability bounty programs. Their programs motivate the research community to find and report vulnerabilities back to the vendor. The existence of these programs is a testament to how seriously both Google and Microsoft take product security. Although these companies (and possibly others) are moving in the right direction, they still have to compete with prices offered by other legitimate zero-day buyers. In some cases those prices offered are as much as 50% higher.
Netragard is one of those entities. We operate the Exploit Acquisition Program (EAP), which was established in early 2000 as a way to provide ethical security researchers with top dollar for their work product. In 2011 Netragard’s minimum acquisition price (payment to researcher) was $20,000.00, which is significantly greater than the minimum payout from most other programs. Netragard’s EAP buyer information, as with any business’ customer information, is kept in the highest confidence. Netragard’s EAP does not practice public vulnerability disclosure for the reasons cited above.
Unlike VUPEN, Netragard will only sell its exploits to US based buyers under contract. This decision was made to prevent the accidental sale of zero-day exploits to potentially hostile third parties and to prevent any distribution to the Black Market. Netragard also welcomes the exclusive sale of vulnerability information to software vendors who wish fix their own products. Despite this not one single vendor has approached Netragard with the intent to purchase vulnerability information. This seems to indicate that most software vendors are sill more focused on revenue than they are end-user security. This is unfortunate because software vendors are the source of vulnerabilities.
Most software vendors do not hire developers that are truly proficient at writing safe code (the proof is in the statistics). Additionally, very few software vendors have genuine security testing incorporated into their Quality Assurance process. As a result, software vendors literally (and usually accidently) create the vulnerabilities that are exploited by hackers and used to compromise their customer’s networks. Yet software vendors continue to inaccurately tout their software as being secure when in fact t isn’t.
If software vendors begin to produce truly secure software then the zero-day exploit market will cease to exist or will be forced to make dramatic transformations. Malware however would continue to thrive because it is not exploit dependent. We are hopeful that Google and Microsoft will be trend setters and that other software vendors will follow suit. Finally, we are hopeful that people will do their own research about the zero-day exploit markets instead of blindly trusting the largely speculative articles that have been published recently.