The big-bad scary zero-day exploit: it sends almost the same kind of shivers down everyone’s back as APT. Yet, like the advanced persistent threat, the zero-day is suffering some hype fatigue. More Web servers are popped by known bugs and exploits than some shadowy secretive attack crafted by the Electrical Engineering University of China’s People’s Liberation Army. Yet companies are still bombarded with marketing FUD about zero-days despite numbers that indicate exploits hitting unknown vulnerabilities account for less than 1% of all malware.
So do zero-days matter? Like everything else in security, it depends. If you’re in the bug hunting and bug selling business, they sure do. Last week’s CanSecWest hacker, err, researcher conference in Vancouver was a zero-day Lollapalooza with companies like VUPEN taking dead-aim at Google Chrome and Microsoft’s IE9 browser with zero-days developed just for the event. The French company, called out by privacy advocate Chris Soghoian at the recent Kaspersky Security Analyst Summit, admits to holding on to certain vulnerabilities and exploits only for its customers, refusing at times to share information with the affected vendors. Soghoian said VUPEN and others sell exploits to governments, who pay a heck of a lot more for what can be turned into a weaponized exploit than say a security conference or a bug bounty program, such as TippingPoint’s Zero-Day Initiative.
VUPEN CEO Chaouki Bekrar told Threatpost that VUPEN’s government customers are only trusted democracies and not oppressive countries. Taking him at his word, there’s still the argument that while a select few get a fix, the general user population remains exposed. It’s silly to think attackers aren’t way ahead of the game and already have their share of unreported bugs and exploits at their disposal, but this level of backroom wheeling and dealing is disconcerting. It casts a poor light on offensive security research and events like the Pwn2Own contest are probably unwillingly aiding and abetting.
I had a conversation with Microsoft senior security strategist lead Katie Moussouris recently about zero-days and vulnerability disclosure. Katie has been in the security business a while, including a stint at @Stake back in the day, and she said Microsoft’s experience with the research community is much different. She said that 80% of vulnerabilities found in Microsoft products are disclosed privately, and 90% of those disclosures are made directly to Microsoft. Most researchers, she said, are not motivated by money, but by intellectual curiosity. As a result, Microsoft has shied away from offering a bug bounty, and has instead focused on rewarding defensive security research with initiatives such as its Blue Hat Prize.
These are watershed days for security researchers and vulnerability disclosure. To be honest, the whole disclosure debate probably gives most of you a headache, worst of all if you’re a CISO sitting between the researchers and the vendors and the VUPEN-like middlemen while all this wrangling plays itself out. Tim Stanley, former CISO at Continental Airlines, summed it up best a couple of years ago:
“I love the love-fest between the vendors and researchers, but quite honestly, I don’t give a hoot. I’m the consumer, the guy who paid for the product that I expect to be correct in the first place. I’m the guy who paid for the software. When am I gonna know? The issue becomes a matter where the people paying for the product need to be better represented in this process.”