Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:19 PM

'App Store For Exploits' Could Reduce Enterprise Vulnerabilities

NSS Labs' Exploit Hub, a marketplace where coders can sell attacks on specific vulnerabilities, could help with enterprise security, experts say

The Exploit Hub -- a proposed free market for the buying and selling of attacks that exploit specific software vulnerabilities -- sounds more like a threat than a security aid. Yet the brainchild of security testing firm NSS Labs could just be what the doctor ordered to help enterprises eliminate their vulnerabilities, security experts say.

The "app store for exploits" will allow security researchers and developers to sell validated exploits to known security professionals. NSS Labs plans to test every exploit in the marketplace to make sure each one works and does not carry malicious code. In addition, the company will check every buyer to prevent criminals from using the marketplace to fuel their own activities.

The exploits will be in a standard format, making it easier for them to be added to the Metasploit Framework, and only attacks on previously reported vulnerabilities will be allowed.

"We are not selling zero-days -- this is not the Pirate Bay," says Rick Moy, president of NSS Labs. "One of the key things we are offering in our scenario here is that all of the exploits that go into the store will be validated."

For enterprise security teams, this new, darker analog to Apple's App Store could help immensely, says one security specialist at a Fortune 100 firm, who spoke on condition of anonymity.

"It is putting some parity on the playing field between the bad guys and the good guys," the security specialist says. "The bad guys have had this sort of capability for a while, and now the good guys can have it as well."

While vulnerability monitoring can reveal which systems have serious security issues, prioritizing the patching of flaws is difficult. That's where exploits can help, says the security specialist. Showing management that a particular issue can be easily exploited is a good way to open doors.

"Unless you can exploit a machine and pull it off -- give them the shock and awe -- it is hard to get their attention," he says.

The ability to buy exploits of publicly known software flaws could also help penetration testers and security professionals test the high-value targets that many security researchers might not care about, experts say.

Vulnerabilities in critical pieces of software, such as SAP and Oracle, are not always publicly exploited, making it difficult for security teams to show their vulnerabilities. In fact, only about 10 percent of the almost 15,000 most serious vulnerabilities have been publicly exploited, according to data from CVE Details.

The Exploit Hub concept extends the evolution of the security researchers' marketplace, observers say. In 2002, security firm iDefense -- now part of VeriSign -- created its Vulnerability Contributor program, which bought previously undisclosed vulnerability information from researchers. TippingPoint -- now part of Hewlett-Packard -- created its own bug bounty program in 2005, called the Zero Day Initiative. In 2007, an auction site, WabiSabiLabi, went online as a place to sell vulnerabilities. Other security researchers have sold their vulnerabilities and exploits privately.

But writing exploits has become increasingly difficult, leading many vulnerability researchers to forgo creating reliable exploits for known vulnerabilities. For many penetration testers, that means they are not showing their clients a complete picture of their vulnerability posture, Moy says.

"If a pen tester goes into a client and only uses what's in Metasploit and what's in his virtual back pocket, then he is doing his client a disservice," Moy says.

Not everyone agrees. Dan Holden, director of HP's TippingPoint DV Labs, notes that penetration testers find only a few avenues of vulnerability, and frequently that vulnerability is not in the computer systems, but with the employees.

"They argue that pen testers are as good as their exploits, but that is not necessarily true," Holden says. "A lot of pen testers use social engineering to get access to systems."

Moreover, with technologies such as address space layout randomization (ASLR) and data execution protection (DEP) now standard in Windows systems and applications, the task of finding exploits even for known vulnerabilities is difficult, Holden says.

"Weaponizing a vulnerability these days is far, far more difficult. There are a lot of hurdles to reliably exploiting the operating system," he says.

NSS Labs' Moy argues that as the market for exploit developers evolves, exploitation will become reliable once more -- and exploiting known vulnerabilities will become a routine, if not simple, task.

"The researcher will ask themselves: 'Do I spend all my time on the Hail Mary, or do I take my skills and go for the small wins and make a living?'" he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-20
LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.
PUBLISHED: 2019-09-19
In Libav 12.3, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c has a complex format argument to sscanf.
PUBLISHED: 2019-09-19
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
PUBLISHED: 2019-09-19
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
PUBLISHED: 2019-09-19
An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code.