Attacks/Breaches
10/5/2012
12:34 PM
50%
50%

Weaponized Bugs: Time For Digital Arms Control

Thriving trade in zero-day vulnerabilities means dangerous bugs get sold to the highest bidder, and that puts everyone else at risk.

By many accounts, however, bug-selling remains a relatively exclusive arena, meaning it shouldn't be tough to regulate. Furthermore, that's unlikely to change, as it's difficult to turn zero-day millionaire, given fierce competition from other bug hunters, as well as the risk that a vendor might already have discovered a zero-day vulnerability, and have a fix in development.

Still, the price paid for some vulnerabilities suggests that ethically speaking, sellers might be up to no good. As Microsoft threat analyst Terri Forslof has said, "If I'm paying $50,000 for a vulnerability, what am I doing with it? I'm likely not trying to get it patched."

Vulnerabilities are hot in part because they can be weaponized and put to work quite quickly. "It doesn't take much time at all to commoditize a vulnerability into an exploit," said Sean Sullivan, security advisor at F-Secure Labs, in a blog post. For example, he found that the Adobe Flash Player security update (CVE-2012-1535) released Aug. 14, 2012, was followed the very next day by the appearance of in-the-wild attacks that used Microsoft Office Word documents with embedded exploits of the Flash vulnerability. Interestingly, one of the decoy Word documents that employed the Flash exploit was apparently targeting people interested in atomic weapons programs. And by Aug. 17, the exploit was part of the open-source Metasploit vulnerability testing toolkit.

Given the shift from bug bounties to vulnerabilities being used to power digital espionage or offensive operations, why not regulate the sale of dangerous bugs? Of course, new government regulations aren't the solution to every problem. But most governments do regulate the sales of arms so average Joes can't buy rocket launchers or fighter attack jets, unless, of course, they are Larry Ellison. Furthermore, because "cyber warfare" is meant to be the new military frontier, there's no reason not to regulate the buying and selling of zero-day vulnerabilities, at least to ensure they're not being used for nefarious purposes.

Currently, there are no laws against the buying or selling of bugs. "It's important to realize that, however much of an unpleasant taste this might or might not leave in your mouth, none of these people are acting illegally," says Graham Cluley, senior technology consultant at Sophos, in a blog post. "They've worked hard, using their skills to discover vulnerabilities in software systems. They are not exploiting these security holes themselves, and they aren't breaking the law."

What vexes many security experts is that the details of the bug remain hidden to all but the buyer, thus potentially putting everyone else at risk. Furthermore, what if an unscrupulous third party or foreign government gets its hands on the zero-day and begins using it to attack American businesses or government systems?

According to Soghoian, vulnerability sellers argue that the buying and selling of vulnerabilities should be left to free-market forces. But as he said in his keynote, once other governments begin snapping up zero-days and using them to attack the United States, the U.S. government might suddenly find itself arguing for regulating bug sales on the grounds of self defense. For consumers and businesses that rely on PCs and who don't want to find themselves at the receiving end of an undetectable, zero-day-driven targeted attack, that would be welcome news.

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.