Vulnerabilities / Threats
10/11/2011
04:52 PM
Connect Directly
RSS
E-Mail
50%
50%

More Exploits For Sale Means Better Security

Selling exploits can help companies test their systems, but is there room for an independent market?

For a decade, security researchers have been able to earn money by selling the details of significant vulnerabilities to bounty programs: first to the Vulnerability Contributor Program launched by iDefense in 2002, and then to TippingPoint's Zero Day Initiative, which went live in 2005.

Extending the model, security research and testing firm NSS Labs launched ExploitHub, an app store model for the sale of code to exploit known vulnerabilities. Preapproved buyers can browser the store and pay anywhere from $50 to $1,000 for ready-to-use exploit code.

Yet the mix of attack code has been anemic. A look at ExploitHub shows that sellers are hawking code that attacks Oracle, Novell, and a handful of Windows vulnerabilities. NSS Labs hopes to change that: Last week, the company introduced a voting system for buyers to specify vulnerabilities of interest, as well as a prize system that pays a bounty for posting code to exploit the flaws. The company plans to pay between $200 to $500 for working attacks that target specific vulnerabilities in Internet Explorer and Adobe Flash.

By providing exploits that are in greater demand, defenders are better served, says Rick Moy, CEO of NSS Labs.

"The bad guys have the ability to create these exploits and launch them maliciously," he says. "But the good guys don't even have access to those exploits, so they can't test their defenses to tell whether they are secure or not."

While zero-day attacks -- targeting previously unknown and unpatched vulnerabilities -- are a wide concern, companies need to test their security against known vulnerabilities as well. The majority of firms delay rolling out patches, and to make sure that they are not leaving themselves vulnerable to attack, must be able to block the exploitation of their software.

By selling exploits for known flaws, ExploitHub helps IT security teams and penetration testers check an organization's security, and it keeps software vendors pressured to push out patches for major vulnerabilities, says Marc Maiffret, chief technology officer for eEye Digital Security, a network and host-based security firm.

"I think the more we can do to get people to do vulnerability research and report issues to vendors rather than selling it to some bad guys out there, the better," he says.

ExploitHub also offers an alternative to researchers. While it might not be as lucrative as selling original vulnerabilities to the two major bounty programs, which typically pay up $1,000 to $5,000 for significant security flaws, it offers a legitimate choice to selling their coding services to the criminal markets.

"You will have a lot of people out there who want to make exploits, and they may not be able to get a job with a pen-testing firm," says Thomas Kristensen, chief security officer for vulnerability management firm Secunia. "There will be room for an ExploitHub."

NSS Labs' Moy points to the 15,000 to 17,000 critical vulnerabilities found in the past five years as an enormous opportunity for attackers and, thus, for exploit writers who want to help defenders do their jobs better. The major penetration-testing tools -- Immunity's Canvas, Core Security's Core Impact, and Metasploit, which is now maintained by Rapid7 -- have exploits for some 1,000 vulnerabilities. The gap represents a great opportunity, Moy says.

"The zero-day stuff is all sexy and hot ... and that is fine, but in the big picture of security, the zero-day stuff is a narrower facet of the problem," he says.

Yet eEye's Maiffret is not sold on the viability of a market for non-zero-day flaws.

"Who cares if you have exploits for known vulnerabilities?" he says. "If you are a company getting exploited by known vulnerabilities, your security is not doing its job."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.