If you’ve ever investigated vulnerabilities or searched for a specific CVE-number, which is a unique identifier for vulnerabilities, you may have stumbled over a site or two that list the “value” of a vulnerability.

This may have left you wondering how such a value is determined. Or you may have wondered why some vulnerabilities are classified with severities such as Low, High, or Critical.

Roughly speaking, the value of a zero-day vulnerability depends on a few distinct factors:

• Ease of use
• Reach
• Impact
• Accessibility

Ease of use

Most cybercriminals are lazy, so they want to copy and paste some code, use a script, and unleash it. From there they will begin to prioritize the most enticing victims and figure out how they can turn them into the biggest profit. With a suitable zero-day as a starting point, the number of potential victims can be so big that cybercriminals have to—and can afford to—lose a few potential victims.

In 2023, ThreatDown saw how the CL0P ransomware group implemented a new scalability method to sort through the victims they made with the MOVEit vulnerability. More details are about that dangerous campaign are available in our State of Malware report 2024.

 Reach

The reach of a zero-day is determined by how many users are using the application or system the vulnerability was found in and how easy these can be reached. A vulnerability in a popular library used in a large set of online applications can have a major impact.

Take for example Log4j, a name that still trigger alarm bells, even after two and a half years.

As Malwarebytes Labs wrote in its blog at the time of the vulnerability’s discovery:

“Log4j is an open-source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the potential reach of this problem is enormous.”

Impact

Impact is almost self-explanatory. What can an attacker gain by exploiting a specific vulnerability? While you may have a working zero-day, if all it allows an attacker to do is shut down a service, that is nowhere near as impactful as a remote code execution (RCE) vulnerability that allows you to take control of a system. Not that other vulnerabilities which can extract information, elevate your permissions, or initiate a denial of service (DOS) can’t be useful. They certainly are, but usually, we’ll see those in an attack chain combined with other weaknesses.

Accessibility

It’s also important to consider what you need to have before you can exploit a weakness. Do you need administrator credentials, physical access, to be on the same network, or trick the target into doing something (like clicking a link)? That all makes a vulnerability less valuable than a zero-click vulnerability on a publicly accessible, internet facing service or device. “Zero-click attacks” are the name we use for attack methods that require no action from the victim.

A vulnerability that allowed an attacker to send maliciously crafted web content to their target which could lead to arbitrary code execution, was considered serious enough for Apple to create a fix for older systems.

2023

Google Threat Analysis Group (TAG) and Mandiant published a report looking at trends, gaps, lessons learned, and successes when it comes to vulnerabilities across 2023.

We’ll share a few highlights that should easier to understand, now that we know what determines the value of a vulnerability.

Popular targets for exploit-hunters, because of these targets’ reach, are Chrome and iOS. Both have a significant number of users and are easily accessible since they are mostly online.

The report states that exploit-mitigation techniques are starting to show off their effects when it comes to browsers and operating systems. Safe coding and especially the use of memory safe languages are paying off. Also, improved sandboxing techniques for browsers and iOS’s Lockdown mode are meaningful contributions to improve cybersecurity.

Google pats itself and Apple on the back for making these investments that are having a real impact on the safety of users and which are forcing attackers to spend more time to find new attack surfaces and new bug patterns.

The report also highlights the focus on vulnerabilities in third-party components because they can increase the reach for being present in multiple applications. Examples are browser components, video codecs, and graphics libraries.

Graphics processing units (GPUs) are a prime attack surface when building exploits for Android devices because the vast majority of Android devices use one of two GPUs, Mali GPU or the Qualcomm Adreno GPU driver. And many Android bugs are still going unfixed for quite some time thanks to a double patch gap.

What users can do is keep a close eye on their environment or hire professionals to do that for them and apply patches as soon as they possibly can.

Which leaves us with an important conclusion from the report:

“2023 has shown that software and product vendors ought to prepare themselves for how they will respond when an in-the-wild zero-day is discovered targeting their product.”

There is no reason for anyone to assume they will be safe in 2024.