When exploit code is released into the wild, it gives attackers a 47-day head start on their targets, new research has warned.
Kenna Security teamed up with the Cyentia Institute to analyze 473 vulnerabilities from 2019 where there was some evidence of exploitation in the wild.
Over the succeeding 15 months, the team noted when a vulnerability was discovered, when a CVE was reserved, when a CVE was published, when a patch was released, when the bug was first detected by vulnerability scanners and when it was exploited in the wild.
It claimed that exploit code is released into the wild in around one in four (24%) cases and the majority (70%) of exploited CVEs are likely to have been predated by publicly available exploit code.
There is therefore strong evidence that “early disclosure of exploit code gives attackers a leg up,” argued Kenna Security CTO, Ed Bellis.
However, things are a little more complicated than that, he added.
“At the same time, when exploits are released before patches, it takes security teams more time to address the problem, even after the patch is released,” Bellis explained. “That’s an indication that exploit code availability is not the motivator that some would suggest it is.”
Early disclosure may also actually help the white hat community by providing the code from which IDS and IPS systems can derive signatures. It could also push software developers to produce patches more quickly, and organizations to patch once one becomes available.
The good news is that responsible disclosure processes appear to be working quite well. Around 60% of vulnerabilities have a patch before a CVE is officially published, rising to over 80% within just a few days following the publication of a CVE.
However, once again, this doesn’t tell the whole story.
“Just because a patch is released, it doesn’t mean it will get used. Companies have a backlog of open vulnerabilities,” explained Bellis.
“Conversely, just because an exploit is available, that doesn’t mean attackers will use it. So, there are periods of time when attackers are able to deploy more attacks than defenders can patch, and there are times when defenders have momentum.”
Unfortunately, at present, attackers have momentum 60% of the time, according to the research.