(Translated from the Original Italian)
Recent revelations on Flame case raise the question on the efficiency of “zero day vulnerabilities", software bugs that hackers exploit to avoid security defenses of target systems. The real problem when we talk about zero-day is related to the duration of the period in which hackers exploit the vulnerability before world wide security community respond applying needed countermeasures. I desire to share with you the results related to an interesting study of a couple of researchers, Leyla Bilge and Tudor Dumitras from Symantec Research Labs, titled "Before We Knew It ... An Empirical Study of Zero-Day Attacks In The Real World".
The experts explained how the knowledge of this type of vulnerabilities gives governments, hackers and cyber criminals "a free pass" to exploit every target remaining undetected. The study explains how is it possible to identify 0-day attacks automatically from eld-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Typical zero-day attack has an average duration of 312 days and once publicly disclosed it is observable an increases of 5 orders of magnitude of the volume of attacks.
The lifecycle of a zero-day vulnerability is composed by the following phases:
- Vulnerability introduced.
- Exploit released in the wild.
- Vulnerability discovered by the vendor.
- Vulnerability disclosed publicly.
- Anti-virus signatures released.
- Patch released.
- Patch deployment completed.
The researchers illustrated an alarming scenario, 60% of the zero-day vulnerabilities identified in the study were unknown, the data suggest that there are many more zero-day vulnerabilities than expected and the average proposed for the zero-day vulnerability duration maybe underestimated due the disclosure of flaws dated 2010.
Zero Days attacks appear different from massive malware infection, they usually exploit a limited number of hosts representing the targets, the majority of the exploits in study impacted only few machines.
The discovery of zero day vulnerabilities seems to be a prerogative of state-sponsored attacks, similar flaws could be exploited to conduct stealthy attacks against other governments, let's think to the recent cyber espionage campaigns.
Around the concept of "zero-day" it is born a market in which the governments are primary actors with the hackers specialized in this kind of researches. The role of hacker it totally changed, I don't understand why it could not change also the way to manage these the vulnerabilities.
What are the main approaches to the manage a zero-day vulnerability?
One option is the immediate disclosure of the information relative to the vulnerability, "full disclosure," which, however, has a side effect the explosion of attacks that exploit the flaw identified.
Diametrically opposite approach is to inform only the companies producing applications targeted, this approach, however, is not always well managed by the same companies, in fact, often spend months before they release a patch suitable for the resolution of the problem.
It's clear that such vulnerabilities are unavoidable and are difficult to detect, but the management process for the implementation of necessary patches should be completely revised. The proposed "full disclosure" approach in my opinion is not practicable, but alternative approach needs a proactive response of software producers.
It should be instituted a sort of register of vulnerabilities that have to be managed by the authorities. Once enrolled a vulnerability to the register, it is responsibility of companies to proceed with the development of a patch as soon as possible to avoid the application of sanctions.
The software companies have responsibilities for their products and for the production of related patches. We have discovered that exploiting a zero day vulnerability it is possible to attack a critical infrastructure with serious impact on a population of a country.
My assertion is a provocation of course, I desire to express the disappoint to a wrong attitude in the management of recent vulnerabilities that has had a significant impact in several areas.