Tracking Zero-Day Vulnerabilities

Zero-day vulnerabilities (vulnerabilities that are published before the vendor has made a fix available) have been a part of computing since computers were invented. Publishing information about vulnerabilities too soon places the public at extreme risk, so you need to know about zero-day vulnerabilities as soon as possible.

You can learn about new vulnerabilities through many channels. Mailing lists are the primary method for disclosing zero-day vulnerabilities, so you should subscribe to those lists that you think are important for your security work. Web sites are another source of information about zero-day vulnerabilities, and several track both vulnerabilities and associated exploit code.

eEye Digital Security recently launched a new site called Zero-Day Tracker. Although the eEye Research Team doesn't always post zero-day vulnerabilities on day zero, you will find that new vulnerabilities do appear on the site within a few days of their publication. What I find most interesting about the site is that not only can you use it to learn about new vulnerabilities, but you can use it to mine data related to how vendors respond to zero-day vulnerabilities.

The site tracks the date of publication of new zero-day vulnerabilities along with their perceived severity level, and eventually the date the vendor releases a patch. This data provides a clear view of how long the public is exposed to a given risk before the vendor provides some sort of official fix to correct the problem.

For example, a quick glance at the site shows five high-risk vulnerabilities in Microsoft products for which there is no patch. As I write this, the newest of those is a Word vulnerability published a couple days ago, and the oldest is a problem with an ActiveX control in Visual Studio 2005 that has remained unpatched for 124 days.

You can view similar data for vulnerabilities for which the vendor has released a patch. And the site doesn't confine itself to Microsoft vulnerabilities, it also lists other mainstream vendors that provide solutions for Windows platforms. So if you need to catch up on new vulnerabilities and exploits for Windows-related products, the site is a good place to visit. Consider bookmarking it.

Speaking of zero-day vulnerabilities, Windows Vista, recently released to enterprises, has one, but it primarily affects Microsoft itself and not so much the users of Vista.

Microsoft publishes a key management service that lets enterprise users of Vista handle product activation without contacting Microsoft. With the key management service in place, Vista periodically contacts the service to keep the OS activated, and therein resides the vulnerability.

Someone figured out how the key management service works, created a hacked version, and published it on the Internet as an easily loadable virtual machine (VM) image. So now people can download a copy of that VM, place it on their network, and effectively run pirated copies of Vista. This of course will cost Microsoft a lot of money in lost licensing fees.

You might consider taking a look at the VM to figure out ways to detect it so that you can ensure that nobody runs a copy on your network. You can find a link to it on various Torrent tracker sites and standalone Web sites. To find related info, search the Internet for the string "Microsoft.Windows.Vista.Local.Activation.Server-MelindaGates".

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.