3

I chose that title, but there are probably several ways to ask this question. It's all about understanding how a computer (especially desktop, but you could generalize this to servers I guess) can get infected if it's always up to date (daily updates) and if you are not stupid enough to explicitly allow execution of untrusted software. For example, everybody says you should not open suspicious attachments in emails, but why not? If there is code or macros in the attachments, the application should warn you and ask if you want to execute it (at least that should be what LibreOffice does). If you connect a USB key to your computer, no software in that key should be executed automatically (that's what Linux does, and I hope Windows today asks you for confirmation anyway). Same thing for "drive-by downloads", if you don't accept to download a file, install a plugin, etc. then how can anything happen just by browsing a website?

UNLESS...

Unless attachments, USB keys, websites, etc. exploit a 0-day vulnerability. Then yes, everything can happen without your consent, and everything is possible in theory. But how common is this? So, going back to the question in the title: what percentage of infections are due to 0-day vulnerabilities? My impression, which might be wrong of course, is that it's a very small percentage, almost zero, and that all the infections are due to people not updating their software regularly, people clicking "ok" to give permission to execute something that should have no reason to be executed (like document.doc.exe, do you want to execute the following program? Of course! Click), people accepting to download updates for whatever software or plugin from unofficial websites, and so on.

So I'm asking about 0-days because that seems to me the only class of vulnerabilities that makes sense considering. If you don't update your software you can't say "I got infected just by browsing a website", but you should rather say "I got infected just by forgetting to update my browser/OS/etc". My reasoning basically made me come up with 3 classes of vulnerabilities (out-of-date software, explicit consent to run untrusted software, and 0-day vulnerabilities) and since the first two classes can be easily neutralized I'm just focusing on the likelihood of the third. Unless of course all my reasoning is wrong.

reed
  • 15,398
  • 6
  • 43
  • 64
  • 3
    You underestimate the risk of explicit consent. The user is often the weakest link in the chain, and untrained users will often run things they shouldn't. Have a look at the macro'd office documents that tell the user they need to ensure macros are switched on to view. Eg. https://goo.gl/images/tBWbMB – SilverlightFox Apr 21 '18 at 11:09

2 Answers2

4

It's a valid question, and I can't find data to answer it precisely. The Verizon DBIR does not seem to single out zero-day vulnerabilities used, and I'm not aware of any study that does. I do believe the chances to be small, however.

I think you're looking at a very narrow slice of things, however, since it sounds like you're mostly focused on isolated home workstations. Yes, those are basically going to be compromised by:

  1. Users executing things (including document macros, files on flash drives, downloads, whatever)
  2. Known (and patched upstream, but patch not deployed) vulnerabilities
  3. Known (and unpatched upstream) vulnerabilities
  4. Unknown vulnerabilities (0-day)

I completely agree that for home users, the last category is a small percentage of infections. However, there is a non-trivial lag time between an 0-day being "burned" (i.e., the vendor becomes aware of it, and it becomes a 1-day), and the general availability of a patch. During this time, a compromised user is not compromised by an 0-day, but is also unable to stop it via patching.

However, in the enterprise, things get different very quickly. Firstly, we have to add "lateral movement" and "stolen credentials" to our list of vectors. Secondly, we add enterprise applications, many written in house without attention to security, to our threat landscape. These may have "0-days" by the dozen, and are commonly used to breach enterprises. Finally, most enterprises roll out patches quite slowly in comparison to the rate of malware appearing that exploits a vulnerability. Malware authors may not care if their malware crashes 50% of the time, but you better believe an enterprise cares if 50% of their workstations start crashing due to a bad patch.

David
  • 15,814
  • 3
  • 48
  • 73
1

It does not make sense to calculate percentage of infections caused by zero-days and it can vary from 0 to a significant number in case of a pandemic-like outbreak. We had them in the past. In 2017 we have reported 40 zero-day vulnerabilities that were exploited before public knowledge or vendor patch.

www.zero-day.cz (statistics for 2017)

Some of them were used in targeted attacks, some were detected as backdoors, injected by malicious actors (e.g. CCleaner, NotPetya ransomware outbreak). Advising a user not to open files sent from untrusted/unknown source is a good advice against random attacks, bcs the majority of users do not have hardened workstations, disabled macro in Office software etc. it does not help though against a targeted attack, bcs you may receive that file from a trusted person =)

The bottom line is: you will bring false sense of security by saying that percentage of zero-days in real-world attacks is ZERO and you should not care about them.

Valery Marchuk
  • 546
  • 2
  • 6