Carelessness Runs Amuck With Zero Day Vulnerabilities

It's no secret that some hackers, predominantly wearing either black or grey hats, discover vulnerabilities and then proceed to sit on those vulnerabilities for some variable amount of time. The motives for not informing the affected vendors appear to vary from entirely self-centered reasons to the need for leverage against a given vendor who might claim to be improving security, but just not fast enough for the satisfaction of some people. Sometimes the latter explanation turns out to be more of a ruse than fact.

In recent months the Internet community has become exposed to "A Month of Browser Bugs," where every day for a month a new bug in a Web browser was published openly to a public Web site. A follow-up to that series, "A Month of Kernel Bugs," is currently underway and so far has exposed serious vulnerabilities in Linux, Windows, BSD, and related subsystems. One bug related to wireless drivers is severe and the effects are far-reaching given that the core problem stemmed from a vendor who restributes their code to other vendors, who in turn modify that code to match their own hardware specifications. The end result with particular wireless vulnerability is that numerous vendors must each produce a unique patch and some get that patch out to users of their products. Meanwhile countless users remain at extreme risk.

The "month of bugs" trend is apparently catching hold with others. On November 20 a person who goes by the name of "Caesar" posted a message to the Bugtraq mailing list announcing "A Week of Oracle Database Bugs" slated to begin on some unspecified day in December. Caesar gave a link to the Argeniss company Web site, which apparently is behind the series. He wrote that the motive is to demonstrate that Oracle's security is insufficient, and that the company "isn't getting any better at securing it's products." He added that people "already know the history: two years or more to fix a bug, not fixing bugs, failing to fix bugs, lying about security efforts, etc." While the allegations of lying are unproven, security administrators already do know about Oracle's lag time for producing security fixes. It's no big secret, so it seems rather transparent and relatively unbelieveable for Argeniss to claim that as a motive.

It's sometimes understandable to use leverage against vendors' security-related claims, particularly when they're placing the Internet community at high risk. However, in the process of embarassing vendors some self-proclaimed "researchers" invariably harm innocent users of the affected vendors' products.

Even more troubling in the case of Argeniss is that the company claims it could do "The Year of Oracle Database Bugs" but stops short of that by saying "\[We\] think a week is enough to show how flawed Oracle software is." Argeniss goes on to claim that it is in possession of "zero days" for "all database software vendors" then proceeds to allege that Oracle doesn't care about security. The latter statement seems rather twisted, given the amount of carelessness required to publish zero-day vulnerabilities.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.