Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



06:00 AM
Steve Durbin
Steve Durbin
Steve Durbin
Connect Directly
E-Mail vvv

Digital Vigilantes Weaponize Vulnerability Disclosure

Over the next two years, vulnerability disclosure will evolve from a predominantly altruistic endeavor to one that actively damages organizations.

Over the next two years, vulnerability disclosure will evolve from a predominantly altruistic endeavor to one that actively damages organizations. Attackers will search for, and publicly disclose, vulnerabilities to undercut competitors and destroy corporate reputations. Fraudsters will manipulate financial markets by releasing exploits at opportune moments. A lack of regulation will lead to a culture of digital vigilantism whereby vulnerability disclosure is weaponized for commercial advantage.

Organizations will be caught unaware as their vulnerabilities are disclosed at an accelerated pace, often without knowledge or consent. They will face unachievable timeframes to fix disclosed vulnerabilities, draining internal resources. The release of exploit code, the self-propagating nature of some malware and the interconnectivity of devices could see vulnerabilities exploited faster than ever before (accelerated by developments in AI) with major impacts to business.

Software providers and organizations that rely on their products will experience disruption from strategic vulnerability disclosure by rogue competitors, organized criminal groups and hacktivists. Given the global dependence on commercial software, the weaponization of vulnerabilities will have far-reaching consequences for businesses and their customers alike.

What is the justification for this threat?
Currently the key players concerned with vulnerability discovery and disclosure are big tech giants, which have significant resources. Google's Project Zero and Microsoft's vulnerability discovery team are examples of well-known vulnerability disclosure program which actively search for vulnerabilities in their own and other companies' software.

To date, big tech giants have been able to define their own policies and practices regarding vulnerability disclosure. This enables the redefinition of policies at will, justifying the strategic disclosure of vulnerabilities that directly undermine the reputation or commercial viability of other organizations. Google, in particular, has its own disclosure guidelines for the release of vulnerabilities in third party software, disclosing them in confidence before giving 90 days to issue a patch, after which the vulnerability and exploit code are publicly released.

In 2016, Google discovered a vulnerability in Microsoft's Windows 10 operating system that allowed an attacker to break out of a sandbox environment. Google categorized the flaw as critical, and publicly disclosed the vulnerability ten days after reporting it. Microsoft criticized the disclosure and responded with the statement: "We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk."

In 2017 Microsoft publicly disclosed a Google Chrome web browser vulnerability, alerting Google to its discovery 30 days prior to the disclosure. The outcome of this tit-for-tat exchange was a more constructive approach to disclosure adopted by both parties. However, it does highlight the potential for vulnerability disclosure to be weaponized.

A market for vulnerability acquisition is emerging, driven by organizations such as Zerodium, which will pay millions of dollars for individual zero-day vulnerabilities. This illustrates the increasing monetary value of vulnerabilities and potentially changes the motivation for disclosure. As criminal groups or nation state actors understand the potential of zero-day vulnerabilities, unethical vulnerability disclosure will escalate, leading to more vulnerable software and associated disruption to business and endangerment of customers.

Vulnerabilities may also be monetized in other ways, such as by manipulating the share prices of organizations. For example, in March 2018, a small security company claimed to have found vulnerabilities in AMD processors, releasing the details shortly afterwards. About 30 minutes later a financial organization published an "obituary" for AMD citing the recent vulnerability discovery as evidence the company was now worthless and would have to file for bankruptcy. Links between the research company and financial organization later surfaced, showing it to be an attempt to game the stock market. Whilst these attempts to use vulnerability disclosure to short stock ultimately failed, it is just a matter of time before cases of vulnerability disclosure grow in scale and complexity.

The market for buying and selling vulnerabilities will continue to expand at an alarming rate. At the same time, AI developments will accelerate the speed at which vulnerabilities are found. Organizations will be faced with an unsustainable patching regime, and will face significant disruption and damage if vulnerabilities are exploited.

How should your organization prepare?
Dealing with zero-day vulnerabilities should be business as usual for organizations. However, as vulnerability disclosure becomes weaponized this will require re-evaluation of current approaches to patch management, threat intelligence and resilience.

In the short term, organizations should review and improve processes for managing technical vulnerabilities to include vulnerability scanning, remediation and patch management systems. They should also carry out more targeted and detailed penetration testing.

In the long term, vendors should invest in secure coding practices and increase threat intelligence activities in conjunction with threat hunting to move from a reactive to a proactive stance. Organizations should also implement a cyber resilience program and ensure that zero-day vulnerabilities are a tested scenario during a cybersecurity exercise.

— Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cybersecurity, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
PUBLISHED: 2020-08-09
MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.