Google’s Project Zero argues that detection bias might be at play when we consider zero-day vulnerability rates in popular products
ANALYSIS When zero-day vulnerabilities are discovered, direct disclosure to vendors usually results in rapid patch development.
However, not every hacker wears a white hat, and in some cases, security flaws may be actively exploited for criminal or financial gain.
Alternatively, as in the case of the US National Security Agency’s Eternal Blue exploit, these high-value, unpatched vulnerabilities may be reserved for government surveillance and other covert purposes.
When we think of the prevalence of zero-day vulnerabilities, it is not surprising that Microsoft’s Windows operating system comes to mind.
Popular software with the large user bases will always be prime targets, but according to Google Project Zero’s Maddie Stone, Microsoft’s top spot as the most targeted company may be due to detection disparity and bias rather than objective reality.
Zero Dark Twenty
On Wednesday (July 29), Stone released the results of analysis conducted by Project Zero on zero-day vulnerabilities detected in the wild during 2019.
In total, Project Zero detected and disclosed 20 zero-days actively exploited in the wild – an increase of eight vulnerabilities year on year. Of this figure, 11 belonged to Microsoft.
Apple accounted for two and Google, three. However, considering that both of these rival companies also account for vast numbers of users due to the Mac, Chrome, iOS, and Android ecosystems, the disparity seemed odd to Stone.
“We started this effort with the assumption of finding a multitude of different conclusions, primarily ‘technical’, but once the analysis began, it became clear that everything came back to a single conclusion: we have a big gap in detecting zero-day exploits,” the researcher explained.
Stone considers the zero-day rates attributed to Microsoft as due to “detection bias” because the Windows operating system has been a target for attackers for so long.
The Redmond-based tech giant and third-party security outfits have been creating Windows-based zero-day detection products for years, and with more people examining this operating system than others for vulnerabilities, detection rates are likely to be higher.
Only four of the 11 zero-days that were detected exploited the latest Windows 10 release, with others targeting legacy Windows builds and the aging Internet Explorer browser.
“As long as we still don’t know the true detection rate of all 0-day exploits, it’s very difficult to make any conclusions about whether the number of 0-day exploits deployed in the wild are increasing or decreasing,” Stone added.
According to Google’s Maddie Stone, it’s difficult to determine if the number of zero-day exploits is on the rise
Push for transparency
According to the security researcher, the methods of reporting actively exploited bugs are also of concern, as they are sometimes recorded simply as just another bug.
However, if a vendor is made aware of active attacks, they may react differently – such as expedited patching, commissioning additional research, or investing in improved detection tools.
“If all would transparently disclose when a vulnerability is exploited, our detection numbers would likely go up as well, and we would have better information about the current preferences and behaviors of attackers,” Stone noted.
The security industry’s focus on particular threats is also of note. More than 60% of all detected and exploited zero-days by Project Zero throughout 2019 were memory corruption issues, roughly half of which being use-after-free vulnerabilities.
Stone says that this category of bugs are relatively easy to detect in comparison to more novel security flaws.
Detecting zero-day vulnerabilities in mobile operating systems has recently become a focus for Project Zero.
In 2019, only three were detected: two for iOS and one for Android.
However, considering a combined user base of billions and the high price of exploits sold to private traders – with some vulnerabilities being worth millions of dollars – it is not that vulnerabilities don’t exist: the problem is finding them.
“An unfortunate reality in cybersecurity is that while detecting vulnerabilities is critical, remediating them is even more important,” Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, told The Daily Swig.
“While we have excellent detection efforts in the form of organizations like Project Zero, unless the software industry and IT teams apply the lessons from those efforts, we can’t really improve the overall security resilience of modern society.”