-1

We have an overview with known but fixed vulnerabilities for this browsers: Google Chrome, Mozilla Firefox and Internet Explorer. Such lists exist for many other browsers too. We also have such vulnerabilities which were never reported and also might be used for malicious purposes. I know that years ago 0days in flash were used to hack browsers.

How often happens that browser 0days (or zero-days targeting browser extensions) are used in the wild? Are there any good research papers or publicly available statistics about that topic?

Awaaaaarghhh
  • 562
  • 2
  • 18
  • Not sure if there is a statistic, but it's definetly not very often, because 0 days are something attackers won't be just throwing at you. Just three days ago a story about iPhone 0 days usage was reveled publicly, they have been attacking since 2017 and are only detected now. https://www.wired.com/story/ios-attack-watering-hole-project-zero/ – Raimonds Liepiņš Sep 02 '19 at 12:45
  • @Awaaaaarghhh Researches for publicly made exploits or private exploits? whitepapers for independant 0days or a summary of few? – tungsten Sep 02 '19 at 14:31
  • @tungsten can you please clarify "publicly made exploits" and "private exploits". I mean there're bugtrackers, CVE lists etc, so those are public, but they don't say anything about how the 0day was found - by a responsible researcher or just found in the wild. I'm interested about 0days in the wild. How many were found e.g. in 2018 or 2017 e.g. by security researches found on some malicious sites or somehow else (e.g. if some vendor stockpiling 0day exploits was hacked). I'm interested about weaponized exploits targeting masses. – Awaaaaarghhh Sep 02 '19 at 14:36
  • @Awaaaaarghhh Were you are looking for is an analytical oversight of found 0ds in the wild. You could use "google hacking" for this. I'm not sure if there are any, if there are they will most likely not be ranked on the top of google. – tungsten Sep 02 '19 at 14:44
  • I mean the question is if defenders (white hats, cyber security enthusiasts who fight for more secure systems) have already ""won the cyber war"" by making *browser 0days* so expensive, so noone (or nearly noone) will actually use any 0days to hack masses but only to perform targeted attacks. It doesn't mean that there is nothing left, still individuals needs to be protected. But maybe we can already say, that 99% of people using a browser are no more a target for attackers, because 0days are too expensive and so **less likely** to be exploited on masses. – Awaaaaarghhh Sep 02 '19 at 14:52
  • 4
    No one can accurately answer this, but they're not _that_ uncommon. Mostly targeted, though. – forest Sep 02 '19 at 21:52

1 Answers1

2

A 0-day exploit is an exploit which is not yet known to the public, specifically the vendor. As such, statistics about such exploits are difficult to make. But in order to make this answer more satisfactory, we can have a deeper look into how 0-day exploits are dealt with.

When would you use a 0-day exploit?

Most likely, you will use a 0-day exploit when you feel like you can gain more value out of using it than out of selling it. Why? Because every usage has a risk associated with it. In the "worst" case, the 0-day exploit will be detected, reported to the vendor and fixed. The value of the exploit then decreases to basically nothing, because the exploit at this point becomes known public and with a fix attached, and nobody will buy it from you anymore.

So you will only use it if you think you will benefit from it.

How often are 0-day exploits used?

That's hard to estimate. In all likelihood, very rarely. As mentioned above, it's a risk to the individual or group who uses the exploit. You might think it's equally risky to not use them, as with every passing day, the vulnerability could be found independently and reported to the vendor.

The reason why you can't have good statistics about it is simple: If I knew about a vulnerability since 2017, and early 2020 it is fixed, who else would know that I knew about it? How would anybody gather that data?

In essence, it's impossible to say for sure.

  • I disagree. Antivirus-companies have informations about catched 0days. Yes, I understand, that it is a small fraction of detected vulnerabilities but I'm sure that they are publishing such information somewhere. – Awaaaaarghhh Sep 02 '19 at 13:02
  • 3
    @Awaaaaarghhh Do you have sources for this claim? –  Sep 02 '19 at 13:04
  • you can catch malware (delivered by zero-days) with heuristics. behavious based approach is inexact method and might be bypassed, but it still works, I consider it as heuristics. Here is an example: https://github.com/scVENUS/PeekabooAV – Awaaaaarghhh Sep 02 '19 at 13:30
  • just google for "Behaviour Based Malware Detection". it is not the holy grale, but it is better than nothing. malware can still detect if it is inside a sandbox or is beeing traced. – Awaaaaarghhh Sep 02 '19 at 13:33
  • 1
    None of this has anything to do with the original question. –  Sep 02 '19 at 13:36
  • but that's exactly what we want! precious hints & traces! if you find a malware and you know that your honeypot didn't install anything - it only visits websites and maybe views some PDF documents, and then detects a malware, then this is a hint, that probably a zero-day was used to deliver that malware and you obviously need to investigate how this malware was delivered by analysing log files, memory dump, hard drive – Awaaaaarghhh Sep 02 '19 at 13:38
  • " None of this has anything to do with the original question.", of course not! because I'm answering here only your questions! and still waiting that someone answers mine! – Awaaaaarghhh Sep 02 '19 at 13:39
  • 3
    You are severely mistaken. Malware existing on a system doesn't mean that a 0-day was used to deliver it. In fact, there is an overwhelming likelihood that it wasn't. –  Sep 02 '19 at 13:41
  • 1
    yes,I agree. People can download executables, use weak passwords, not properly configure their system, etc everything that might be somehow used to break in the system. On the other side you configure a honeypot that it cannot e.g. download executables or compile some code and then executate that binary. it will just visit websites or analyse email attachements like excel spread sheets or PDF documents. and check how the system bahaves after visiting a website or opening a PDF. is it really so impossible? Yes, you won't detect 60% or 90% of such exploits. But saying that it is impossible... – Awaaaaarghhh Sep 02 '19 at 13:47