The bulk of media coverage after leaks like the recent ‘Vault 7’ release by WikiLeaks tend to focus on zero days: vulnerabilities in software the manufacturer doesn’t know about until they’re released. This focus is only natural, because the unknown tends to scare people, and scaring people gets you clicks.
But according to a panel of security experts at South by Southwest, this focus on zero days is somewhat exaggerated.
The panel was called Bugs in the System: Mapping the Vulns Market – with ‘vulns’ standing in for the catch-all term vulnerabilities for exploitable flaws in software. The hour-long panel revolved around the ethical questions about disclosure of these flaws.
Lots of interesting and timely points were raised, especially around when governments should disclose vulnerabilities found by hackers they employ in different agencies.
According Ari Schwarz, who served as Special Assistant to the President and Senior Director for Cybersecurity during the Obama administration, there are guidelines in place for assessing when and how to disclose found vulnerabilities for companies to patch, and that government agencies tends to lean towards disclosure.
That last fact might seem disputed by the recent Vault 7 leak, that according to the press release by Wikileaks contains “dozens of “zero day” weaponized exploits against a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.”
That sounds super scary, and is in fact quite shocking, but according to Heather West, senior policy manager at Mozilla and part of the panel, we “worry too much about zero days.”
The thing is, there’s a much graver problem: “The government turns over a lot of vulnerabilities, but most companies don’t fix them,” she continued. “99 or more percent of exploits used are known vulnerabilities. Using zero days is very rare, most hacks people use are just known vulnerabilities that aren’t patched.”
This is a fact that must not be all that surprising for security researchers, whom I’ve heard complain about the lax approach some companies take towards patching known vulnerabilities.
One the one hand that can be because “there are some bugs that just aren’t a big deal,” said West, or – more problematic – that the flawed product is at the end of its lifecycle or the cost-benefit analysis a company makes about a fix doesn’t add up.
This is not to say that zero days are nothing to be worried about, because even though they’re not used for malicious purposes as much as existing flaws, they offer certain possibilities to actors you might not want having those possibilities – whether it’s intelligence agencies or criminal organizations.
But the focus on the find of more unknown zero days – however scary it may be that the CIA can turn your smart tv into a listening device – doesn’t weigh up to the fact that there are a huge amount of known vulnerabilities out there that need to be fixed. It’s as if we’re freaking out over sneaky burglars that can pole vault into a tiny upstairs window, while our front door is wide open. And we know it’s wide open.
We might want to focus on that fact as wel – it might not be as sexy as CIA-owned zero days, but it’s as least as important for our online security.