Monday, September 04, 2006

Zero Day Initiative Upcoming Zero Day Vulnerabilities

Details on a dozen of "upcoming zero day vulnerabilities" are emerging from TippingPoint's Zero Day Initiative :

"Over the past year, the most resounding suggestion from our Zero Day Initiative researchers was to add more transparency to our program by publishing the pipeline of vendors with pending zero day vulnerabilities. The following is a list of vulnerabilities discovered by researchers enrolled in the Zero Day Initiative that have yet to be publicly disclosed. The affected vendor has been contacted on the specified date and while they work on a patch for these vulnerabilities, TippingPoint customers are protected from exploitation by IPS filters delivered ahead of public disclosure. A list of published advisories is also available."

Note the time from vulnerability reporting to patch on some vendors:

ZDI-CAN-041 -- Computer Associates -- High -- 2006.04.07, 144 days ago
ZDI-CAN-042 -- Adobe -- High -- 2006.04.07, 144 days ago
ZDI-CAN-046 -- Computer Associates -- High -- 2006.04.07, 144 days ago
ZDI-CAN-061 -- Microsoft -- High -- 2006.06.14, 76 days ago

Don't be in a hurry to blame the vendors, as in between having to deal with these zero day vulnerabilities, they're all providing patches to fix the emerging ones, that is those who get the highest publicty and make the headlines so actively that there's no other way but dedicating product development time to quality assurance. Keep in mind that, even though vendors are still working on fixing these, apparently TippingPoint's IPS customers are protected -- they're aware of these exploits. Excluding the vendor dependability issue, and the fact that ZDI is indisputably turning into a HR-on-demand think-tank for vulnerability research, I discussed some of the issues regarding the possible motivation of the vulnerability informediaries and what to keep in mind in a previous post :

- trying to attract the most talented researchers, instead of having them turn to the dark side? I doubt they are that much socially oriented, but still it's an option?

- ensuring the proactive security of its customers through first notifying them, and them and then the general public? That doesn't necessarily secures the Internet, and sort of provides the clientele with a false feeling of security, "what if" a (malicious) vulnerability researcher doesn't cooperate with iDefense, and instead sells an 0day to a competitor? Would the vendor's IPS protect against a threat like that too?

- fighting against the permanent opportunity of another 0day, gaining only a temporary momentum advantage?

- improving the company's clients list through constant collaboration with leading vendors while communication a vulnerability in their software products?

Diversify your infrastructure to minimize the damages due to zero day outbreaks, ensure end users are privileged as much as they need, do your homework, camouflage and implement early warning systems/decoys, and yes, keep track of your assets and ensure they're already protected from what's known to be their vulnerability. Responsible disclosure is the socially oriented approach, trouble is the Internet itself is a capitalistic society with basic market forces.

Related posts:

Was the WMF vulnerability purchased for $4000?!
0bay - how realistic is the market for security vulnerabilities?
Scientifically Predicting Software Vulnerabilities