For at least two decades, a common mantra in the Information Security industry is that “no one will burn a zero day on you!” This is typically said to a person, often someone that comes across as overly paranoid, or perhaps a small hobby website. This term refers to zero day vulnerabilities, ones that are not publicly known at all. They are most often associated with highly skilled vulnerability researchers that may work for nation states or significant organizations. While thousands of independent researchers are capable of finding such vulnerabilities in widely deployed software, they too often use it for a better cause. That may be resume fodder through a high profile disclosure or selling it to a bug bounty program.
So is the average Jane Doe or Joe Schmoe really at risk of being targeted with a zero day? Historically no, not likely to happen or if it did, it was extremely rare and not widely known. But what about today or in the near future? Are those of us who have said this mantra so sure, myself included? I for one will be more conservative if I say that and may start disclaiming it. Why the change of heart?
What if Jane Doe is running a WordPress blog with one of the tens of thousands of third-party plugins? There are over 60,000 WordPress plugins as of a few months ago. What if Joe Schmoe is running some hobby project blog run by thousands of people? Auditing these for vulnerabilities is not difficult and the amount of vulnerabilities in WordPress plugins alone surpassed 5,000 last year. The vulnerabilities in hobbyist blogs are quite common as well.
So imagine Joe Schmoe gets into a spat online and mansplains something to Jane Doe one too many times. Jane in turn figures out that Joe is running Arbitrary Plugin or WordPress that has only had 1,000 downloads and no history of vulnerabilities. After half an hour Jane finds a remote code execution vulnerability in that plugin. Instead of disclosing it to the vendor or writing a public advisory, she pops Joe’s blog and changes the front page to something insulting and amusing. There you go, a simple and realistic scenario of someone burning a zero day on Joe who was sure no one would ever burn a zero day on him. She may get a lot more satisfaction in doing that than making $50 in a bug bounty program or a shout out in a changelog.
What if Jane doesn’t have the skills to audit PHP code? There are countless researchers in countries that have a substantially different economy than Jane’s. She reaches out to one that is happy to get $25 from a bug bounty program as that represents a lot of money to them. She has the means and offers that person $100 to find a vulnerability. That is another simple and realistic scenario that could easily manifest if it hasn’t already.
If you still have doubts, consider that there are at least 332 vulnerabilities that were discovered in the wild, meaning the first public awareness was during active exploitation, that do not have a CVE ID. Of those, 24 were issues in mods for the game Minecraft, which isn’t exactly a corporate software package. That is one case of the introductory quote being wrong already!
So moving forward, consider my mind changed on the topic of burning zero days on nobodies.
Leave a Reply