For a while now, I have been tracking "undercover vulnerabilities" and exploits. These exploits are a subset of zero day (0day) exploits - while zero day attacks are focused on vulnerabilities that don't have patches, the undercover exploit is focused on vulnerabilities that were unknown prior to the exploit occurring "in the wild." That is, we had no prior knowledge of the vulnerability before the attack took place.
I think this is significant to track because it is an indicator of two things:
- It reminds us that even before vulnerabilities are disclosed they exist in the software, and it is possible that we should be working harder to provide protection.
- It highlights alternative methods for identifying vulnerabilities other than the discover and disclose cycle that occur between bugfinders and vendors today.
There are a handful of other reasons why I think this tracking is important... but I am stuck wondering if this is useful for the community. It is remarkably difficult (and time consuming) to actually trace the origins of an announcement - it essentially involves taking all reports of "0days" and vendors being aware of attacks in the wild, and playing chicken and egg games to try to come to a conclusion.
Currently, the OSVDB has taken up the charge (thanks, Jericho), but I don't think they can do the full root cause analysis required to really get to a solid determination -My list has 21 undercover vulns since 1988 and theirs has 75 (10 in 2009), though I haven't updated mine since last October (did I mention the time consuming part? ;-)).
While I have not executed an all-out full-court press on vendors, the times I did ask for follow-up to see how the vulnerability was discovered resulted in somewhat ambiguous answers about having "no information" or "disclosure agreements" that prevent any discussion about them.
So, if you think the list is helpful, please let me know. And if you are a conspiracy theorist (I can't help but wonder a bit myself) I would be curious to hear why you think vendors are reluctant to provide this information - personally, I think we should care MORE about these vulns and not less.
BTW, Perfect "Pete-read":
http://romeo.copyandpaste.info/txt/ats-policy.txt
"... After the five days have passed, we must conclude that the vendor has issued
some sort of hotfix or a patch to fix the security problem and now the HACKER
sends the bug information, the exploit to the COMMUNITY and possible a
patch too.
Now has security been increased? Do you really think that most of COMMUNITY.
ie: the people that read BUGTRAQ want to patch their servers? No! It is
script kiddies that are waiting for the latest warez, as soon as HACKER
releases this new bug to the COMMUNITY thousands of script kiddies with
little or no skill will start breaking into hundreds of thousands
of boxes and if this bug were genuine, they would! And belive me lots of
boxes would get destroyed.
Now, I ask.. is this a good thing you are doing by posting to the COMMUNITY
all logic says NO!"
Posted by: Anton Chuvakin | July 13, 2009 at 03:32 PM