4 April 2002


On Wed, 3 Apr 2002, G wrote:

> No, "zero day warez" is what was mentioned, which is correct.  What
> you are reffering to is a "zero day exploit" which is also correct,
> but much less common as these windows of vunerability are usually
> quite short lived before the community at large becomes aware of the
> problem.  (It is difficult to test an exploit in isolation or without
> a target, and someone must know it exists before they can use it.)

Clarification: warez kiddiez use term 0day to mean new release of game/movie/etc ...

I would like to contest your "short lived" hypothesis.  Myself, some of the Honeynet members as well as a few other groups have been keeping statistics on vulnerabilities for formally researching the sizes of these "windows." We have been trying to note when the exploits get caught in the wild, when the vulnerability is discovered vs. when the useable exploits for it get written, when the gossip starts in the haxor groups, when the information gets circulated in the ivory tower "security information cartels" and when the public advisories are released vs. the the private and public distribution of the tools to exploit them.  It's quite a complicated informational ecosystem with surprising linkages and leakages, and so far the data is all over the map making it difficult to discern trends because it varies so much on a case by case basis. We are trying to pull all this together into some papers in the future.

I have seen no evidence that these windows are decreasing in size and becoming "short lived." As a matter of fact I would even postulate that the opposite phenomenon may be in effect as the general awareness of security has also increased the recognition of the value of this knowledge, as well as increased the market for and viability of converting this  intellectual property into other forms of currency. :-)

I know of several security firms and vendors that are willing to and have handed  over cash and other rewards in exchange for this kind of information, and the number of small clusters and groupings of individuals, organizations, and even nation-states exchanging this information is on the rise. The haxor "scene" itself seems to besuffering from some increasing fragmentation and compartmentalization too.  Must cause great fun and headaches for the SigInt folks. :-) :-P

As a pretty sensationalistic case in point, the recent fairly wide ranging CERT advisory on the broad and multiple vulnerabilities in equipment utilizing the SNMP protocol is acknowledged to have been been in circulation in the "underground" for well over two years, enough time it is reputed, for certain groups and individuals to amass practical exploits for over 75% of the targets listed (which was well, uh, almost everything :-). It is certain that some vendor organizations had notification at least six months in advance of its publication.

The "antisec" movement seems to be picking up converts instead of shrinking.

Ph33r.

As they say: All your base r belong to us. :-)

(P.s. if that doesn't convince you, my own verified vulnerability clock on SNMP ASN overflows puts it at >4 years. b00m! ;)