Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Vulnerability

6/11/2019
06:00 AM
Steve Durbin
Steve Durbin
Steve Durbin
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Digital Vigilantes Weaponize Vulnerability Disclosure

Over the next two years, vulnerability disclosure will evolve from a predominantly altruistic endeavor to one that actively damages organizations.

Over the next two years, vulnerability disclosure will evolve from a predominantly altruistic endeavor to one that actively damages organizations. Attackers will search for, and publicly disclose, vulnerabilities to undercut competitors and destroy corporate reputations. Fraudsters will manipulate financial markets by releasing exploits at opportune moments. A lack of regulation will lead to a culture of digital vigilantism whereby vulnerability disclosure is weaponized for commercial advantage.

Organizations will be caught unaware as their vulnerabilities are disclosed at an accelerated pace, often without knowledge or consent. They will face unachievable timeframes to fix disclosed vulnerabilities, draining internal resources. The release of exploit code, the self-propagating nature of some malware and the interconnectivity of devices could see vulnerabilities exploited faster than ever before (accelerated by developments in AI) with major impacts to business.

Software providers and organizations that rely on their products will experience disruption from strategic vulnerability disclosure by rogue competitors, organized criminal groups and hacktivists. Given the global dependence on commercial software, the weaponization of vulnerabilities will have far-reaching consequences for businesses and their customers alike.

What is the justification for this threat?
Currently the key players concerned with vulnerability discovery and disclosure are big tech giants, which have significant resources. Google's Project Zero and Microsoft's vulnerability discovery team are examples of well-known vulnerability disclosure program which actively search for vulnerabilities in their own and other companies' software.

To date, big tech giants have been able to define their own policies and practices regarding vulnerability disclosure. This enables the redefinition of policies at will, justifying the strategic disclosure of vulnerabilities that directly undermine the reputation or commercial viability of other organizations. Google, in particular, has its own disclosure guidelines for the release of vulnerabilities in third party software, disclosing them in confidence before giving 90 days to issue a patch, after which the vulnerability and exploit code are publicly released.

In 2016, Google discovered a vulnerability in Microsoft's Windows 10 operating system that allowed an attacker to break out of a sandbox environment. Google categorized the flaw as critical, and publicly disclosed the vulnerability ten days after reporting it. Microsoft criticized the disclosure and responded with the statement: "We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk."

In 2017 Microsoft publicly disclosed a Google Chrome web browser vulnerability, alerting Google to its discovery 30 days prior to the disclosure. The outcome of this tit-for-tat exchange was a more constructive approach to disclosure adopted by both parties. However, it does highlight the potential for vulnerability disclosure to be weaponized.

A market for vulnerability acquisition is emerging, driven by organizations such as Zerodium, which will pay millions of dollars for individual zero-day vulnerabilities. This illustrates the increasing monetary value of vulnerabilities and potentially changes the motivation for disclosure. As criminal groups or nation state actors understand the potential of zero-day vulnerabilities, unethical vulnerability disclosure will escalate, leading to more vulnerable software and associated disruption to business and endangerment of customers.

Vulnerabilities may also be monetized in other ways, such as by manipulating the share prices of organizations. For example, in March 2018, a small security company claimed to have found vulnerabilities in AMD processors, releasing the details shortly afterwards. About 30 minutes later a financial organization published an "obituary" for AMD citing the recent vulnerability discovery as evidence the company was now worthless and would have to file for bankruptcy. Links between the research company and financial organization later surfaced, showing it to be an attempt to game the stock market. Whilst these attempts to use vulnerability disclosure to short stock ultimately failed, it is just a matter of time before cases of vulnerability disclosure grow in scale and complexity.

The market for buying and selling vulnerabilities will continue to expand at an alarming rate. At the same time, AI developments will accelerate the speed at which vulnerabilities are found. Organizations will be faced with an unsustainable patching regime, and will face significant disruption and damage if vulnerabilities are exploited.

How should your organization prepare?
Dealing with zero-day vulnerabilities should be business as usual for organizations. However, as vulnerability disclosure becomes weaponized this will require re-evaluation of current approaches to patch management, threat intelligence and resilience.

In the short term, organizations should review and improve processes for managing technical vulnerabilities to include vulnerability scanning, remediation and patch management systems. They should also carry out more targeted and detailed penetration testing.

In the long term, vendors should invest in secure coding practices and increase threat intelligence activities in conjunction with threat hunting to move from a reactive to a proactive stance. Organizations should also implement a cyber resilience program and ensure that zero-day vulnerabilities are a tested scenario during a cybersecurity exercise.

— Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cybersecurity, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.