Musings from the mind of Marcus….

As part of my duties for McAfee Avert Labs, I present on current and future threats in computer security. Lately I have been focusing on the connection between vulnerability bounty programs, fuzzing and the rise of zero-day threats. This will be part 1 of a two part post.

Vulnerability bounty programs like The Zero Day Initiative from 3Com/TippingPoint or The Vulnerability Contributor Program fro iDefense compensate individuals who provide them with undisclosed vulnerabilities in applications or operating systems. These bounties vary depending on the severity of the vulnerability, type of application or operating system affected and even amount of potentially affected users. Some of these bounties can be as high as $10,000! 

Welcome to the emergence of the “Vulnerability Marketplace”.  I am not aguing that vulnerabilities should not be found or patched. What I am saying is that there has never been a greater financial motivation for individuals to bang on applications or operating systems for the sole purpose of making money. Making money is never a bad thing but let’s look at a few other tidbits.

Fuzzing. A hot term and topic right now. According to Wikipedia, fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data (“fuzz”). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct. A fuzzer is a program that attempts to discover security vulnerabilities by sending random input to an application. If the program contains a vulnerability that can leads to an exception, crash or server error (in the case of web apps), it can be determined that a vulnerability has been discovered. Lately fuzzers are often used as Fault Injectorsfor this reason: they generate faults and send them to an application. Fuzzers can be used for finding buffer overflow, DoS, SQL Injection, XSS, and Format String bugs. Fuzzing has been around since around 1989 but has really been coming into its own in the vulnerability research area. The open source community has been an active developer of some of the best and most powerful fuzzing tools available today.  Tools like AxMan, developed by H.D. Moore of Metasploit fame, used for browser fuzzing, are freely available over the Internet. The well known MoBB (Month of Browser Bugs) proved this tools power. Other popular browser fuzzers include Hamachi, CSS-Die, DOM-Hanoi and MangleMe. All these tools are well documented and freely available, making it easier than ever to find vulnerabilities.

Oh, and by the way, did you know that November 2006 is The Month of Kernel Bugs? Yep, complete with it own fuzzer.  But, I digress. Let’s move on to zero-day. 

The term zero-day is a squishy term.  Let us agree to define zero-day exploits as being  released before the vulnerability — and, sometimes, the vendor patch — are released to the public. It is generally accepted to be calculated from the number of days between the public advisory and the release of the exploit. See Wikipedia for a decent expanded definition.

Part two to follow later today.