There’s been a lot of back-and-forth between Pete Lindstrom, Adam Shostack, and TQBF regarding the benefits (or lack thereof) of vulnerability research and disclosure, culminating in Pete saying he’d buy beer…

C’mon, just point me to ONE major vendor patch bulletin that originated when you saw the vulnerability exploited in the wild before any good guys knew about it. Presumably, this exploit would have been the catalyst for discovery and disclosure by the good guys. I’ll definitely buy you a beer or 50 if you can do that.

he was quickly forced to put his money where his mouth is

TQBF did me right. He found the references I was looking for and now will drink for free, though I am guessing not as much as he hoped. (C’mon now, when I said 50 beers I was thinking the ever-so-delicious Coors Light). Bass Ale (or the other stuff if you can find it) on me in Chicago all night on 9/26/05, somewhere near here. (I think you said you live in Chicago now). Raindates acceptable if necessary.

I’d like to throw out the CAN-2004-1050, aka the Internet Explorer IFRAME vulnerability which was announced and patched out-of-cycle after it was used on The Registers’s compromised banner ad servers as part of the Bofra worm. The most famous exploit may have come out a few days after the CVE was created, but I just want to come out for beers since you’re going to be in town. I don’t mind buying my own.

Of course, when all is said and done, I personally think it’s irrelevant. Given that in an environment of any size whatsoever, there’s always at least one machine which is vulnerable to any number of known patchable exploits, what’s the point of worrying excessively about it? This is the reason for Defense-in-Depth.

Sure, you could probably calculate the expected risk of a private exploit being used against a particular application if you have metrics for codebase size (either in kLOC’s or Function Points), defect density, and the rate at which defects have security implications in the particular language/API, but there’s no point. All that’s going to tell us is what we already know: That vulnerabilities exist and will continue to be found until long after I’m dead and gone. Undiscovered vulnerabilities are simply one more risk we have no choice but to accept if we want to continue to do our work with a keyboard and mouse instead of a pencil and paper.

From my perspective, though, these sorts of 0day’s (so much shorter and l337er to say than, “in-the-wild exploit against an undercover vulnerability) are fun in the same vein as Ghost Stories and the Bermuda Triangle. They provide us a useful reminder about the limits of our knowledge and our ability to protect ourselves. If we didn’t have things we all acknowledge we flat-out can’t defend against, we might be tempted to think absolute security is attainable.

As an aside, does anyone know how many holes were found and closed during the great Microsoft Security Stand Down? Does Microsoft even know? And more interestingly, what I’d really like to know (but never will) is how many new holes were inadvertantly created during that exercise.

Though if memory serves me, the IFrame heap overflow doesn’t quite fit the conditions I’d set (I think it was unpatched but known), you are welcome to come out for beer as well. This is turning into quite a tab I am going to have…

Pete Lindstrom

I agree that so far as we know, it didn’t quite qualify. Still, as a worm’ed exploit, a really clever attack which effectively targeted SysAdmin’s (by hitting The Register’s adservers), and the only patch yet to force Microsoft to break their montly release cycle, it’s certainly worth mentioning.

I’ve also wondered if the awstats remote command execution exploit from January wasn’t being exploited before the vulnerability was announced. I know I wasn’t scanned for it until February 6th, almost three weeks after it was formally announced, but the original disclosure by iDEFENSE (who buy private exploits) would lead me to think it qualifies:

VIII. DISCLOSURE TIMELINE

10/21/2004 Initial vendor notification
01/02/2005 Initial vendor response
01/17/2005 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

(emphasis mine)

Dont worry too much about the tab. Unless the crowd gets completely out of hand, I’m probably good for a round.

Of course the crowd will get out of hand.

As far as the question at hand, what about the Witty worm? It seems to be represent a sort of middle ground — it showed up “too fast” to be the work of “black hats leveraging a disclosure”, but it nonethless appeared after a disclosure was made. Could it have been a stockpiled “spl01t” conveniently released for plausible deniablilitay? I am not l33t enough to judge. Some seem to have thought so.

Let me steal some words from Dan Geer:

“Because only known vulnerabilities get fixed, the central question is who knows what and when. The conservative assumption for a vulnerability discoverer is that he was not the first to discover the current vulnerability. A similarly conservative assumption is that not all vulnerability discoverers are of good will. Therefore the question is “How many vulnerabilities are known, silently, to persons not of good will?” The corroborating evidence that this number is nonzero lies in observing that all major virus or worm attacks to date have exploited previously known vulnerabilities, never unknown ones. With such evidence, either all vulnerabilities are discovered by persons of good will or there is a reservoir of vulnerabilities being held in reserve. ” (www.dtc.umn.edu/weis2004/weis-geer.pdf)

Why this kind of statement should be controversial mystifies me.

Chris

I think that 0day exploits are a valued commodity and people do not want to waste them on a worm before they are disclosed. Instead, people are using them to individually hack into machines to ensure that they can always get into important targets. But, as soon as vendors start releasing patches, then they figure they might as well just release a worm and create a bot network instead, or sell their exploit to others who will then do that…