Software vulnerabilities are quickly exploited by cyber-criminals and online spies, typically giving defenders less than eight days to patch, according to a study of some 188 exploited software vulnerabilities by data analysis firm Recorded Future.
The study used automated data collection to gather information from the National Vulnerability Database, vulnerability reports, and software-update bulletins. Using this data set, the company identified 188 vulnerabilities used in attacks, which typically came 7.5 days after details of the issues were initially published.
The study gives some guidance to network defenders, Scott Donnelly, senior analyst with Recorded Future, told eWEEK.
“If you are looking at a critical patch for your system, you need to know how quickly it is being exploited,” he said. “You are never going to be able to mitigate all issues.”
Disclosing details of serious vulnerabilities often gives underground attackers—as well as legitimate penetration testers—enough information to take advantage of a software weakness. The most critical software vulnerabilities, such as the “Shellshock” flaw in Unix and Linux terminal shells, are often attacked within a day of detailed disclosure. By far the largest share of flaws were exploited within the first week.
Most flaws were reported in Java, Adobe Flash, Internet Explorer, other Adobe programs, Microsoft Office and Windows. Microsoft Office flaws tend to have the longest delay between disclosure and exploit, according to the report. Microsoft has added defensive software techniques, or mitigations, designed to make exploiting their software more difficult.
The Internet Explorer browser, the Windows operating system and Apple’s Mac OS X had the fastest turnaround time on exploitation. Vulnerabilities in such software are often considered to be very valuable to attackers and attract a great deal of research following disclosure.
In general, attackers exploited proprietary software in 6.5 days, but open-source software actually had a similar delay, 9.5 days, between disclosure and exploitation.
The starkest divide between open-source and closed-source software was in the delay between exploitation of previously unknown software vulnerabilities, so-called “zero-day” flaws. More than 52 days passed on average between the date when attackers began exploiting a zero-day vulnerability in open-source software and the date when the flaw was disclosed. Proprietary software had a delay between exploitation and disclosure of about 25 days.
“Open-source exploit festers a bit longer, according to this data,” which is an interesting development, Christopher Ahlberg, co-founder and CEO of Recorded Future. “Whereas, the post disclosure attacks have a small difference.”
Microsoft’s own analysis has found that zero-day exploits remain fairly constant from year to year, while the number of exploits that are published after the company discloses a vulnerability has gone down dramatically. In 2013, only seven exploits were created for flaws fixed by Microsoft in its monthly updates, down from 53 in 2010.
Other research has shown that the disclosure of zero-day exploits leads to quickly escalating attacks—by as much as a factor of 100,000, according to a 2012 academic paper. Cyber-criminals frequently reverse engineer such attacks and include them in easy-to-use exploit kits that can create sophisticated malware.