Zero Day Threats: Part 3 – When & How Are They Released?

In part 2 of this blog series, I touched on the profile and motivations of those behind Zero Day Threats.  In part 3, we’ll take a look at when and how these threats are released/discovered.

In 2003, Microsoft moved to a monthly patch release cycle (commonly known as Patch Tuesday, for the second Tuesday of each month).  After a while people noticed a correlation between when zero day vulnerabilities were discovered/disclosed and the proximity to Patch Tuesday.  Some concluded that many zero day threats are strategically released very close to Patch Tuesday as a means to maximize the Window of Vulnerability (time that an attacker can take advantage of a yet-to-be patched vulnerability).  To test this theory, I took a look at some 200 Microsoft zero day vulnerabilities since January 2005, tracking when they were discovered relative to the closest Patch Tuesday.  You may be asking, 200 Microsoft zero day vulnerabilities since January 2005 ?!?  While some consider local denial-of-service vulnerabilities not to be zero days, I’ll defer to my previous definition, which was used for the purpose of creating the chart below:

This chart plots the proximity of discovery from the closest Patch Tuesday.

This data can be broken down as follows:

• In 2005,   7 (18%) Zero Day threats were discovered ±3 days of Patch Tuesday.
• In 2006, 36 (31%) Zero Day threats were discovered within the same time frame.
• In 2007, 10 (24%) Zero Day threats were discovered within the same time frame (as of April 15)

NOTE: ±3 days is a 7 day window.  Given an even distribution, one would expect to find 23% of all vulnerabilities during this window.  The data suggests that at least in 2005 and 2007 strategic releases were not that common; and even 2006 only showed an 8% deviation.

There is another significant factor to consider…vulnerabilities discovered through active exploitation have been erroneously assigned the date of disclosure, rather than the date of release.  Of course there is a good reason for this, the release date is not always known.  There have been cases in the past where server logs showed evidence of zero day vulnerabilities being uploaded well in advance of the discovery date.

The following chart represents the number and method that zero day threats were discovered/disclosed when comparing two six month periods:

Roughly 10% of all vulnerabilities were first discovered through active exploitation.  While a significant number, 42% of these were discovered within the ±3 day window, we don’t know the actual release date for many of them.

So where does this leave us?  Well, undoubtedly some attackers are waiting for the right moment to strike, but this is somewhat akin to trying to sell stock at its peak price.  Attackers can’t really know how long their zero day threat will go unnoticed, when it will be reported to the vendor, patched, etc.  They can be sure that if they release their threat within a few days before Patch Tuesday that Microsoft would have to pull-off something yet-to-happen to date; the release of an emergency patch in under 6 days.  If they release say 10 days before Patch Tuesday, it’s a gamble that the threat will go unnoticed for at least a few days before being reported to Microsoft.  Of course they could wait until just after Patch Tuesday to release, but by doing so they would fail to maximize the duration of effectiveness.

It’s more likely that many attackers do not wait and simply release their threats as soon as they are ready to be released.  The more time that passes, the greater the chance that the vulnerability will be disclosed and/or patched.

Check back later in the week for the 4th and final part of this blog series.