Monday, January 30, 2006

Was the WMF vulnerability purchased for $4000?!

Going through Kaspersky's latest summary of Malware - Evolution, October - December 2005, I came across a research finding that would definitely go under the news radar, as always, and while The Hackers seem to be more elite than the folks that actually found the vulnerability I think the issue itself deserves more attention related to the future development of a market for 0day vulnerabilities.

Concerning the WMF vulnerability, it states :

"It seems most likely that the vulnerability was detected by an unnamed person around 1st December 2005, give or take a few days. It took a few days for the exploit enabling random code to be executed on the victim machine to be developed. Around the middle of December, this exploit could be bought from a number of specialized sites. It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000. Interestingly, the groups don't seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public."

Two months ago, I had a chat with David Endler, director of Security Research at TippingPoint, and their ZeroDayInitiative, that is an alternative to iDefense's efforts to provide money as a incentive for quality vulnerabilities submissions. The fact that a week or so later, the first vulnerability appeared on Ebay felt "good" mainly because what I was long envisioning actually happened - motivated by the already offered financial rewards, a researcher decided to get higher publicity, thus better bids. I never stopped thinking on who gains, or who should actually gain, the vendor, the end user, the Internet as a whole, or I'm just being a moralist in here as always?

This very whole concept seemed flawed from the very beginning to me, and while you wish you could permanently employ every great researcher you ever came across to, on demand HR and where necessary seems to work just fine. But starting with money as an incentive is a moral game where "better propositions" under different situations could also be taken into consideration. Researchers will always have what to report, and once ego, reputation and publicity are by default, it comes to the bottom line - the hard cash, not "who'll pay more for my research?", but "who values my research most of everyone else?". And when it comes to money, I feel it's quite common sense to conclude that the underground, have plenty of it. I am not saying that a respected researcher will sell his/her research to a illegal party, but the a company's most serious competitors are not its current, but the emerging ones, I feel quite a lot of not so publicly known folks have a lot to contribute..

Possible scenarios on future vulnerability purchasing trends might be :

- what if vendors start offering rewards ($ at the bottom line) for responsibly reported vulnerabilities to eliminate the need of intermediaries at all, and are the current intermediaries doing an important role of centralizing such purchases? I think the Full Disclosure movement, both conscious or subconscious :) is rather active, and would continue to be. Now, what if Microsoft breaks the rules and opens up its deep pocketed coat?

- how is the 0day status of a purchased vulnerability measured today? My point is, what if the WMF vulnerability was used to "nail down" targeted corporate customers, or even the British government as it actually happened , and this went totally unnoticed due to the lack of mass outbreaks, but the author sort of cashed twice, by selling the though to be 0day to iDefense, or ZeroDay's Initiative? What if?

- requested vulnerabilities are the worst case scenario I could think of at the moment. Why bother and always get excited about an IE vulnerability, when you know person/company X are running Y AV scanner, use X1 browser as a security through obscurity measure. That's sort of reverse model compared to current one where researchers "push" their findings, what if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that version of that software", would this become common, and how realistic is it at the bottom line?

Some buddies often ask me, why do I always brainstorm on the worst case scenario? I don't actually, but try to brainstorm on the key factors and how the current situation would inevitably influence the future. And while I'm not Forrester Research, I don't charge hefty sums for 10 pages report on the threats posed by two-factor authentication or e-banking, do I? Still, I'm right on quite some occasions..

At the bottom line, ensure $ isn't the only incentive a researcher is getting, and don't treat them like they are all the same, because they aren't, instead sense what matters mostly to the individual and go beyond the financial incentive, or you'll lose in the long term.

What are you thoughts on purchasing vulnerabilities as far as the long term is concerned? What is the most effective compared to the current approaches way of dealing with 0day vulnerabilities? Might a researcher sell his findings to the underground given he knows where to do it? What do you think?