0-days, n-days, too many days

A software vendor, a threat actor, and a bug bounty hunter walk into a bar. The bug bounty hunter goes “have you guys heard about this new bug I just spotted?” “Never heard of it,” says the software vendor. The threat actor just gives the widest grin. Meanwhile, the users in another table are all just drinking their woes away, completely oblivious to it all.

Ok, it’s not a funny joke. But it is a grim reflection of reality for IT.

Breaking News: Water Is Wet

Google found that 80% of the zero-day exploits it finds could be traced back to “commercial” spyware vendors. In an unsurprising twist that is bound to go down in history as “Rosebud 2,” Google found that more than half of all zero-day exploits over the past 10 years affecting Google’s products and services were created, used, or identified by commercial spyware vendors.

Furthermore, Google identified the real reason why this happens – the financial incentive that rewards CSVs – and how that factor is what drives the hunt for new exploits. In the continuing tug of war between software vendors closing exploits and threat actors finding new ones, the ability to monetize new bugs perpetuates this activity regardless of the many improvements put into software creation, testing and validation. 

Familiar names like the NSO Group (responsible for the infamous Pegasus spyware), continue to make millions – and, in fact, continue to operate as a legitimate business – regardless of the fact that their whole modus operandis is to find, exploit, and sell remote access, monitoring, and espionage tools.

From 0-days to n-days

It is also quite remarkable that Google is putting forward the concept of “n-days” being as dangerous as 0-days in terms of cybersecurity. The difference here is that a 0-day exploit hasn’t been addressed by the vendor yet (or the patch hasn’t been delivered yet), and an “n-day” is an exploit for which a patch is readily available but hasn’t been deployed to a system yet. From mobile devices to web servers, the same concept applies without change.

In fact, the risk of n-days is probably larger than that of 0-days. While the 0-day is only known to a small group of threat actors, or even just one, an n-day will usually have advisories and reports published across multiple outlets, making it much more visible to anyone looking. In fact, tools like Metasploit are often updated with the latest proof-of-concepts for new vulnerabilities just a few days after their disclosure. At that point, it becomes a game of whack-a-mole for the IT teams: patch the bugs before someone probes for their existence in the systems they manage.

Don’t get the wrong impression – if your system is found to be vulnerable, and a threat actor is probing, it doesn’t really matter if it’s a 0-day or an n-day. Until patched, both are equally able to cause problems.

At TuxCare, we’ve repeatedly hit the “you should patch now” drum. You could argue that we have an interest in doing that, as we provide KernelCare Enterprise, a live patching tool that facilitates just that – patching immediately as a patch becomes available rather than at some point in the future. But it really goes beyond this. 

The immediacy of deploying a patch is a race against time, where 2nd place could cost your organization millions (cost of a breach). Also because each successful breach emboldens threat actors to continue their activity, with higher payouts in sight.

But it’s also the safest way forward. There isn’t much to be done against 0-days. You can’t know about, or protect from, threats that haven’t been disclosed or for which no patch exists. But every day you delay applying a patch when it is there for your systems is another day that you shouldn’t be giving threat actors to target you.

We’re still far out from a magic solution that fixes cybersecurity across the board for everyone. We’ll likely never have one. The only real option is mitigating the risk whenever possible. The “it won’t happen to me” mindset is a big enemy – threat actors don’t follow this idea.

Commercial Spyware Vendors

The legitimization of spyware as an industry creates a skewed battlefield in cybersecurity. When governments overlook the operations of these vendors, they ignore the broad risks posed to digital security and privacy. It’s crucial to recognize and address the distortions introduced by the commercial spyware industry, which profits from the creation and exploitation of vulnerabilities at the expense of global cybersecurity.

Moving Forward

While there’s no panacea for the myriad cybersecurity challenges, the path forward involves diligent risk mitigation. Accepting the reality that vulnerabilities exist and acting swiftly to address them is key. The cybersecurity community must continue to advocate for responsible vulnerability disclosure, robust security practices, and the prompt application of patches. Only through collective effort can we hope to maintain a semblance of security in the digital world.

The conversation between the software vendor, threat actor, and bug bounty hunter in the metaphorical bar is not just a reflection of the current state of cybersecurity but a call to action. Awareness, vigilance, and proactive measures are our best defense against the ever-evolving threats posed by both known and unknown vulnerabilities. Everyone has a part to play in safeguarding the digital frontier and de-legitimizing business models that focus on exploiting, stealing, and hacking others.

Summary

Article Name

0-days, n-days, too many days

Description

Google found that more than half of all zero-day exploits over the past 10 years affecting products and services. Read our reflection

Author

Joao Correia

Publisher Name

TuxCare

Publisher Logo