Study finds zero-day vulnerabilities abound in popular software

Subscribers to organizations that sell exploits for vulnerabilities not yet known to software developers gain daily access to scores of flaws in the world's most popular technology, a study shows.

[Nation-state likely behind attack on IE zero-day flaw]

NSS Labs, which is in the business of testing security products for corporate subscribers, found that over the last three years, subscribers of two major vulnerability programs had access on any given day to at least 58 exploitable flaws in Microsoft, Apple, Oracle or Adobe products.

In addition, NSS labs found that an average of 151 days passed from the time when the programs purchased a vulnerability from a researcher and the affected vendor released a patch.

The findings, released Thursday, were based on an analysis of 10 years of data from TippingPoint, a network security maker Hewlett-Packard acquired in 2010, and iDefense, a security intelligence service owned by VeriSign. Both organizations buy vulnerabilities, inform subscribers and work with vendors in producing patches.

Stefan Frei, NSS research director and author of the report, said the actual number of secret vulnerabilities available to cybercriminals, government agencies and corporations is much larger, because of the amount of money they are willing to pay.

Cybercriminals will buy so-called zero-day vulnerabilities in the black market, while government agencies and corporations purchase them from brokers and exploit clearinghouses, such as VUPEN Security, ReVuln, Endgame Systems, Exodus Intelligence and Netragard.

The six vendors collectively can provide at least 100 exploits per year to subscribers, Frei said. According to a February 2010 price list, Endgame sold 25 zero-day exploits a year for $2.5 million.

In July, Netragard founder Adriel Desautels told The New York Times that the average vulnerability sells from around $35,000 to $160,000.

Part of the reason vulnerabilities are always present is because of developer errors and also because software makers are in the business of selling product, experts say. The latter means meeting deadlines for shipping software often trumps spending additional time and money on security.

Because of the number of vulnerabilities bought and sold, companies that believe their intellectual property makes them prime targets for well-financed hackers should assume their computer systems have already been breached, Frei said.

"One hundred percent prevention is not possible," he said.

Therefore, companies need to have the experts and security tools in place to detect compromises, Frei said. Once a breach is discovered, then there should be a well-defined plan in place for dealing with it.

[WHMCS Zero-Day vulnerability used against PureVPN]

That plan should include gathering forensic evidence to determine how the breach occurred. In addition, all software on the infected systems should be removed and reinstalled.

Steps taken following a breach should be reviewed regularly to make sure they are up to date.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Adobe SystemsAppleExodusHewlett-Packard AustraliaiDefenseMicrosoftOracleTippingPointTippingPointVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place