Exploits are sold


It is kind of scary but pretty often we see claims that exploits to 0day-vulnerabilities are sold on the Internet. There was one recently for Excel on eBay and now there are claims that there was a WMF-exploit on the market pretty early in December (http://ddanchev.blogspot.com/2006/01/was-wmf-vulnerability-purchased-for.html).

Roger


Comments (38)

  1. Dancho Danchev says:

    Hi Roger,

    Thanks for feating this, I believe their team has managed to figure it out, the worst is what’s to come in the future, namely how will the monetization of security research affect everyone. What do you think on this?

    Regards,

    Dancho

  2. chsecblo says:

    Hi Dancho,

    I definitely agree, that is the reason, why I posted it. The dnager at the moment is not only the exploit being sold but the trend. An Excel exploit on eBay, a WMF-exploit on the Web… The question is how many exploits for 0days are already out there without us knowing it? How many are used at the moment for industrial espoinage and how many are used to preapre attacks?

    It is definitely very scaring. We can handle viruses and worms as an industry pretty well, but what about this kind of threat?

    Roger

  3. Dancho Danchev says:

    Roger,

    I think that bringing $ at the first place was trickly, and commercializing vulnerability research will bring in front all the weaknesses of the current concept. Windows of opportunities, lack of responsible disclosure, vendors put under pressure to release patches, my point is that, I feel the commercialization stage should have happened at a later, more mature stage.

    The need for 0days given the success of reactive security measures as you’ve mentioned is a growing trend that helps malicious attackers stay competitive. Is it time to start building more awareness on proactive solutions?

    Nice point on the industrial espionage, it’s great you see the "potential", count the military as well in here!

    Dancho

  4. chsecblo says:

    Hi Dancho,

    It even goes further in my opinion. Exploits and trojans are written for just one single attack. We saw this last year in Israel and there are more cases of espoinage.

    Therefore it is definitely necessary to think about those kind of attack vectors. I think most of the security people have to learn to think like an attacker and not only like a defender. Might be that this would change quite some architectures

    Roger