Who would want to make a living buying information on software vulnerabilities for resale? Not Gunter Ollmann of IBM’s ISS security division it would seem.
At the danger of indulging meta-critique (oh go on then), Ollmann’s blog goes into some detail on his arguments against the flaw resale industry, and specifically on one company operating a paid, disclosure program, 3Com TippingPoint which operates one called Zero Day Intiative (ZDI).
Last week, at Black hat, it was the turn of Robert Graham and David Maynor of Errata to point out the obvious weakness of the TippingPoint ZDI program for turning vulnerabilities into marketable information – there has for some time been a risk that anyone using the vulnerability information to update their systems could reverse engineer the flaw while it is still at the zero day stage, namely while still at the stage where TippingPoint customers know about it. It’s not a problem that is unique to TippingPoint, of course. Any security vendor applying patches faces the same issue.
"The point is that if you're a black hat, it's easier to get a zero-day from the vendor than to develop your own," said Graham during his show presentation.
According to Graham, this is no theoretical possibility and has happened. Errata discovered two hacking groups were using information from a TippingPoint signature to write zero-day attacks in the aftermath of the notorious Apple Quicktime bug that emerged from the CanSecwest hacking contest. All that is required (or was until TippingPoint claimed to have fixed it) was for Errata to find and decrypt the key protecting the signature.
According to Ollmann, as big a problem as the fact that vulnerability information can slip into the public domain, is that companies such as TippingPoint use the whole ZDI program as a form of marketing. We found the problem first, aren’t we clever. His solution seems a bit drastic and highly unlikely to make any headway – just refuse to mention the company or individual that first discovered the hole.