Slashdot Mirror

I strongly object 'do not even conceptually know'.
Zero days are hardly ever fundamentally novel attacks.
Inadequate input sanitisation, buffer overflows, ...
http://www.zerodayinitiative.c... - for example

None of the first several I looked at looked particularly novel, even compared with attacks of a decade or two ago.

The article doesn't provide many details on what these exploits actually were, but in case anyone else is curious like I was they appear to be published on the ZDI site:

Broad strokes for new discoveries

Details for older exploits

The article doesn't provide many details on what these exploits actually were, but in case anyone else is curious like I was they appear to be published on the ZDI site:

Broad strokes for new discoveries

Details for older exploits

I looked at the pwn2own website for results from 2012, they only listed browsers. I assumed no mobile devices were included. I looked at this:

http://pwn2own.zerodayinitiative.com/

and this:

http://pwn2own.zerodayinitiative.com/status.html

I looked at the pwn2own website for results from 2012, they only listed browsers. I assumed no mobile devices were included. I looked at this:

http://pwn2own.zerodayinitiative.com/

and this:

http://pwn2own.zerodayinitiative.com/status.html

Where does it say you can't use Linux for browser testing?

From the rules page:

The targets will be running on the latest, fully patched version of either Windows 7 or Lion.

Back in 2008, Linux was a available as a target in Pwn2Own but in an interview Aaron Portnoy of TippingPoint explained that Linux is now not included in Pwn2Own to avoid controversy.

Not illegal in the slightest, there are many companies that are actively and publicly purchasing 0day.

Why would it be unethical to research and sell 0day to your own government? Governments need cyber armaments as well as physical ones. Are tank manufacturers unethical?

What can you morally do otherwise but blow the whistle?

You could sell it, responsibly.
If you sell the exploit to something like the Zero Day Initiative or iDefense you won't have to deal with the vendor, they will. And they are far more experienced at that as well. That way you'll get rid of your current problem, the issue is dealt with properly and you might even earn a few bucks in the process.

why not get these guys to help you. Maybe the vendor will take them seriously.

Yes, you give a link for one vulnerability. That's a single data point. What is it supposed to show? That IIS has vulnerabilities? I did not claim otherwise.

Your claim was that IIS5 used to be unsafe. With IIS5 having an unpatched DOS exploit currently under attack, I'm trying to point out that your statement is rather inaccurate.

It's good that I also compared how critical vulnerabilities are, and where they can be used from, then. Do you have any specific objections to the numbers quoted in my previous post (and also those on the pages I've linked), or my analysis of them? If so, then please write your own, to demonstrate where I am wrong.

Vendors rate the criticality themselves - don't they? Additionally - Microsoft seems higly reluctant to acknowledge and patch flaws. Comparing the flaws that leaks out this regime to a open source project which hides nothing yields a result that will invariably favour the secretive part. Your "analysis" is deeply flawed.

whereas there is NOT A SINGLE ONE on Windows Server 2003 [..] I cannot fix... or, avoid

So - you cherry-picked a release and even this one has several unpatched and known exploits in it? Congratulations!

WHAT? Apparently, you aren't aware of the JAVA bug that Apple had, for MONTHS now, that other vendors patched many, Many, MANY months ago... would you like proof of THAT, also?? Just ask... I'll get the link, & right from this website...

http://blogs.zdnet.com/security/?p=1708 http://zerodayinitiative.com/advisories/upcoming/

Windows runs more software AND ON MORE HARDWARES in peripherals

Whether Windows can run loads of software is irrelevant. If it did not ship with it - it will not get counted as a flaw.

As for your last comment - you just don't get it do you?

Just make sure your patched first.

They change the rules and targets each year. Nobody will sit on an exploit all year because there's no way to know what to hang on to, or whether the hole will still be there in a month, let alone a year. It's used to promote the Zero Day Initiative which pays you directly for exploits, no fancy contest needed. The contest serves its purpose perfectly. It's never been a meaningful way to stop exploits anyway, just a promotional vehicle for the conference and the respective companies. Nobody's going to make a career out of this competition. If they were good enough to do that, they could make a comfortable living from the ZDI.

Though many experts in the area make it policy to inform the vendor, some vendors respond in wildly inappropriate ways. Some simply ignore it, others will contact law enforcement authorities believing that they are being blackmailed. And yes indeed, some security conscious people have been arrested for trying to do "the right thing."

I'm surprised this bug wasn't handled through the Zero Day Initiative. The researcher gets paid, TippingPoint runs interference on any legal bullying, responsible disclosure happens, TippingPoint gets a market advantage.

The only way this isn't win-win-win is if your goal is to embarrass the vendor.

The short answer : yes

The longer answer : every OS is vulnerable one way or another. The difference lies mostly in the response and the response time by the vendors.

Linux : take the debian ssh disaster a few month ago as example. I read about it at Google News, head over here to check how the linux bashing was coming along, and while I was reading, the "update available" icon appeared. A few minutes later and the vulnerability was no more.
Admitedly, it took a *VERY* long time to find out about the problem in the first place, but the response time from then on was very short, and the update contained concise information about the whole mess.
Today's vulnerability will probably take a bit longer to be fixed, as it requires some primordial changes in the way packet manager work to be fixed. But I'm rather sure people are already looking for a solution (you know .. people who actually CAN fix this kind of problems, not your average /. reader)

Apple Mac : when Apple admits that there is a vulnerability in their products, they take their dear sweet time to fix it. As a matter of fact, Apple just released a security fix for Apple TV, covering vulnerabilities dating back to, at least, January 2008 (at which time it was fixed for OSX, but NOT for Apple TV). I can't comment on how detailed the security fixes are, as I don't own apple products

Microsoft : the Zero Day initiative still lists 12 issues concerning Apple product, classified as "high severity", but the oldest item is a Microsoft vulnerability dating from September 2006 (more or less quoted verbatim from the iWire article I'll link to a bit later). Microsoft updates are particularly obscure in their descriptions, and, if I remember correctly, they are sometimes even applied without asking the user first, and have a bad habbit of breaking other stuff.

So, is Linux 100% secure? No, and it will never be. But at least the devs react in a timely manner, and they don't just install something without telling you what it is or that they are patching at all. Therefore it is better secured than Apple and Microsoft products whose vulnerabilities are often left open, for the sake of obscurity I suppose.
"Superiority" is a highly subjective term, so I won't even start to thread on this subject. It is for me, but your mileage might vary

Apple TV fix article

Zero Day Initiative upcoming advisories

This is exactly what the Tippingpoint zero day initiative is for. To give credit and a bit money to researchers who spend time and effort to discover vulnerabilities in software.
Sure these researches should get money/credit, but what if they become greedy or irresponsible?

Now, don't get me wrong, *any* protection is obviously better than none

This will be interesting to see how it plays out. The two main legitimate vulnerability purchasers at the moment are iDefense's VCP (http://labs.idefense.com/vcp/) and Tippingpoint's ZDI (http://www.zerodayinitiative.com/). An open market place for researchers to sell their work is a good thing if implemented correctly. Previously their is little or no room to negotiate a fair price and all the information must be disclosed to the buyers first (Trust is assumed they will not use the information if they decied not to buy). Having a third party running an auction/fixed price sell will hopefully bring out the legitimate market for this kind of research. On the flip side, their is a large can of ethics laden worms being opened up and again I will be interested to see in a years time if the WabiSabiLabi marketplace is still operating successfully. Here is an interesting paper on The Legitimate Vulnerability Market : http://weis2007.econinfosec.org/papers/29.pdf

You could report it through a 3rd party like The Zero Day Initiative, a division of 3com's Tipping Point intrusion prevention service.

That gives small time security experts a platform of anonymity to disclose vulnerabilities to anyone (not just 3com's customers) while retaining the possibility of a reward.

1. reward independent security research
2. promote and ensure the responsible disclosure of vulnerabilities
3. provide 3Com's TippingPoint division customers with the world's best security protection

1. reward independent security research
2. promote and ensure the responsible disclosure of vulnerabilities
3. provide 3Com's TippingPoint division customers with the world's best security protection

Checkthis out: zerodayinitiative

It's actually better than the parent's proposal, because you're not directly dependant on the company you've exploited the software of.

After three months of being pounded with some of the largest Microsoft patch cycles, it looks as though they're providing us with a breather. Don't get too comfortable though, researchers seem to have plenty of Microsoft content in their queue. Look no further than the 7 pending advisories in the ZDI queue - http://www.zerodayinitiative.com/upcoming_advisori es.html for proof of that. I've made the following blog post discussing my thoughts on this months Microsoft patches - http://portal.spidynamics.com/blogs/msutton/.

The Zero Day Initiative is what you're looking for.

I think a vulnerability can be reported anonymously quite safely

And you can even get paid for doing it! Remember the Zero Day Initiative that was on the news a while back? They guarantee anonymity.

I think a vulnerability can be reported anonymously quite safely

And you can even get paid for doing it! Remember the Zero Day Initiative that was on the news a while back? They guarantee anonymity.

The answer is no.

From their FAQ (http://www.zerodayinitiative.com/faq.html):

Why are you giving advance notice of the vulnerability information you've bought to other security vendors, including competitors?

We are sharing with other security vendors in an effort to do the most good with the information we have acquired. We feel we can still maintain a competitive advantage with respect to our customers while facilitating the protection of a customer base larger than our own.