Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day Vulnerabilities On the Market

Posted by CmdrTaco on from the not-as-good-as-my-negative-four-day dept.

An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."

8 of 94 comments (clear)

  1. Re:I'm surprised white markets aren't more common by bluesatin · · Score: 3, Informative

    I think it would be a grand strategy in Afghanistan -- build goodwill with farmers through buying their crop at prices better than the Taliban is offering, denying the Taliban a source of income through trafficking and probably having a significant supply reduction in the global heroin market.

    This would probably cause a knock-on effect of increasing production in the area, due to the fact that you will be increasing the profits for the poppy growers, and perhaps also encouraging people to start poppy farming; selling to US troops is probably a hell of a lot less scary than selling to the Taliban.

  2. Re:I'm surprised white markets aren't more common by Ltap · · Score: 4, Informative

    You're right. The drug-growing problem in Afghanistan is two-fold: very little will grow there other than desert plants. Opium grows there and is extremely profitable to grow, so if they were to try and grow other crops, they would probably not be sustainable without more infrastructure (such as an irrigation network to grow crops that need more ground water). There have been attempts to cultivate some local plants to extract oils for use in beauty products, but it's a niche market and only a small amount of farmers can do it without over-saturating the market. A crop that would grow in Afghanistan, is in demand, and is rare enough to warrant transportation costs to the rest of the world is the ideal crop, and right now that is opium. Until there is a viable alternative, that is what farmers will grow.

    --
    Yet Another Tech Blog
    (but so much more, including game and movie reviews)
    http://yanteb.peasantoid.org
  3. Re:"Zero-day" is just noise by chill · · Score: 3, Informative

    0-day means there is no patch available, as opposed to vulns that come out after patches are issued and you could possibly upgrade your system to being secure.

    Anything that is patched, but you haven't bothered to update your system and are thus vulnerable to, isn't a 0-day.

    --
    Learning HOW to think is more important than learning WHAT to think.
  4. Does it matter? by khasim · · Score: 2, Informative

    If you are the company who wrote the software, you now know where the flaw is and can fix it.

    If you release a patch, that could be reverse engineered and the bad guys would find the flaw anyway.

    1. Re:Does it matter? by John+Hasler · · Score: 2, Informative

      > If you are the company who wrote the software, you now know where the flaw
      > is and can fix it.

      But if you are a black hat (or a government: same thing) you want exclusive ownership. Even if you are the company that wrote the software you don't want the exploit sold to black hats who will exploit it between now and the time you deploy your fix (or afterward against the many customers who won't upgrade).

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  5. Not a trend. by yoda · · Score: 2, Informative

    The vulnerability contributor program @ Verisign and TippingPoint were setup by the same person. I know this because that person used to work for me. Google is buying simply as a reaction to the China stuff. This isn't a trend...though on the surface, it appears that way.

  6. Re:I'm surprised white markets aren't more common by Zerth · · Score: 2, Informative

    Taliban suspected of stockpiling 12,000 tons of poppies?

  7. What passes for Insightful... by Gary+W.+Longsine · · Score: 2, Informative

    Taliban and the Drug Trade
    Some members of the U.S. drug enforcement community suggest that a new strategy may have been adopted by the Taliban in the wake of their July 27, 2000 announced ban on cultivation. This strategy would reflect a desire by the Taliban to use their “monopoly” position to maximize profits, i.e. restrict supply by restricting cultivation; drive prices up dramatically; and sell from an extensive supply of stockpiled opium. According to the United Nations Drug Control Program (UNDCP) personnel, in the past, up to 60% of opium stock has been stored for sale in future years."

    Uhm, no. What nut jobs like Mullah Omar say, and what they actually do, might overlap, but may not be entirely equivalent.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.