jump to navigation

Bonus episode of AudioParasitics Podcast May 24, 2007

Posted by Dave Marcus in General Security, Malware, PodCasting, Vulnerabilities, Zero Day.
add a comment

We released a bonus podcast episode of AudioParasitics – The Official Podcast of McAfee Avert Labs earlier this week.

In this episode we delve once again into the debate around vulnerability disclosure and bounty programs. Jim Walter and I wrestle with the ethics of bounty programs and whether or not they help protect customers. We battle with the explosive and complex relationships between bounties, vulnerabilities, exploits and malware.


Remember that you can subscribe to the podcast through iTunes or Podzinger as well.


The ball drops and the bubble bursts January 2, 2007

Posted by Dave Marcus in General Security, Vulnerabilities, Zero Day.
add a comment

It should prove to be a very interesting New Year indeed! The ball has dropped in Times Square signifying a fresh start. What better way to start of a new year than with a new month of bugs. As most already know, January 2007 is to be the Month of Apple Bugs and the first one has been released.

I think this will be an interesting bug month for a few reasons. The Apple community, in general, has an overblown sense of invulnerability when it comes to security. True, there has been little exploitation of the various Apple platforms. This is mainly true for a very simple reason: lack of deployment footprint. At the end of the day, Apple is not really a great target of opportunity. Scan a million IP addresses and what will you get? Well over 90% (that is a very low estimate) will be various incarnations of MS Windows. If I am a malware/exploit writer and money or data is my goal, where would I focus my efforts?

Interesting when you consider that by the end of this month there will probably be more public exploits for Apple OS and applications then there have been in several years. Will any of these exploits end up being used in targeted attacks? Who knows. But I think that many peoples bubbles will be burst over the next month.

Hey, they may even have to change those dopey ads they run……….

MS Word Zero-Day Trio December 22, 2006

Posted by Dave Marcus in Malware, Vulnerabilities, Zero Day.
add a comment

Boy was that ever a weekend!!! Three solid zero-day exploits over a 5-6 day period of time right around MS Patch Tuesday (no coincidence).

Over at Avert Labs we have been tracking this for quite some time. The trend seems to be to release a zero-day exploit within +3 or -3 days of the MS patch release. Pretty good strategy actually when you consider it. If an MS zero-day is released 3 days prior to the patch it is very unlikely it will get included in the release. If the exploit is released 3 days after the patch it is very unlikely that MS will release an out-of-cycle patch to address it. This gives the exploit writer a potential usage window of 27 – 33 days for the malware.

Definitely speaks to the continued organization and planning skills of the malware writer.

First Windows Kernel Bug for the MoKB Released November 6, 2006

Posted by Dave Marcus in Vulnerabilities, Zero Day.
add a comment

Well, we knew it was only a matter of time but the first kernel bug for Windows has been released for the MoKB. Interestingly enough this particular bug is darn near 2 YEARS OLD and has been previously reported to MS, although it has remained unpatched. Read the full post or get the source code here.

XML Core Services 0-Day Update November 6, 2006

Posted by Dave Marcus in Vulnerabilities, Zero Day.
add a comment

The other day I wrote about a new zero day in Windows IE XML Core Services. Well, it seems that some new developments have occurred! The Register has picked up the story, in which they state that Secunia is now seeing more active exploitation. Microsoft has posted an Advisory about the vulnerability and even included suggestion and workarounds. No word yet on whether they will release an early patch for it tho. As MS rarely releases out-of-cycle patches, my guess would be no.

I have not heard any updated intel from the researchers at McAfee Avert Labs where I work, but if I do I will certainly update on it.

More MoKB Fun!!! November 5, 2006

Posted by Dave Marcus in Vulnerabilities, Zero Day.
add a comment

In case you haven’t been following the fun with the Month of Kernel Bugs, we are up to four so far.

The running total looks like this:

  • 1 Mac OSX
  • 1 Linux
  • 1 FreeBSD
  • 1 Solaris

Mostly denial-of-service at this point, but I would guess that further work and anlysis will be done on these. That being the case, we could see some further proof-of-concept code and exploits later for these.

New IE 0-day making the rounds November 5, 2006

Posted by Dave Marcus in Malware, Vulnerabilities, Zero Day.

One of my buddies at McAfee Avert Labs has posted on a new IE zero-day exploit making the rounds. Tho he would never admit to it, Craig Schmugar is one of the finest researchers in the security industry and a fairly prolific blogger himself.

Month of Kernel Bugs off to a good start! November 2, 2006

Posted by Dave Marcus in Vulnerabilities, Zero Day.
add a comment

As I had mentioned in previous posts, November 2006 is the Month of Kernel Bugs. Well yesterday, true to form, they posted the first kernel bug, a nice one in Apple’s Airport Driver.  This particular bug, a kernel memory corruption issue, was found by none other than H D Moore which in turn is based upon some previous work by Cache and Maynor

Moore was nice enough to supply a handy-dandy Metasploit module  for the kernel bug as well.  Considerate that was!  An unpatched vulnerability disclosed complete with working exploit code……….

Oh and btw – it really is nice to see someone aside from Microsoft get targeted once and a while!

Bounties, fuzzing and zero-day threats. Part 2 November 2, 2006

Posted by Dave Marcus in Zero Day.
add a comment

So where were we? Oh, yeah zero-day threats.

The most interesting part lately (IMO anyway) of zero-day threats surround Microsoft patch releases. In recent months, there has been a growing correlation between when Microsoft releases their regular patches and the discovery/disclosure of zero-day exploits. They tend to appear +-3 days of the patch release, allowing them to maximize their window of opportunity. This would seem to evidence that attackers are exploiting this release model to their advantage. Bruce Schneier has also weighed in on this issue on his own blog.

Consider the following areas that contribute to zero-day exploits as a commodity:

  • Vulnerability researcher dissatisfied with Vendor
  • Government and Corporate Espionage (targeted data attacks instead of outbreaks)
  • Vulnerability Bounty Programs
  • Penetration code as a revenue producer for the attacker
  • Advances in fuzzing and other vulnerability search tools

All these areas are converging to give rise to more potential zero-day threats.  Consider that Microsoft is closing in on having patched almost 100 Critical Vulnerabilities this year and that by the July of 2006 they had released more critical vulnerability patches than 2004 and 2005 combined.  Add to this 1 part bounty programs, 1 part easier fuzzing and you can easily see the potential for both zero-day exploits and targeted attacks becoming more prevelant than ever before. 

Bounties, fuzzing and zero-day threats. Part 1 November 1, 2006

Posted by Dave Marcus in Zero Day.
add a comment

As part of my duties for McAfee Avert Labs, I present on current and future threats in computer security. Lately I have been focusing on the connection between vulnerability bounty programs, fuzzing and the rise of zero-day threats. This will be part 1 of a two part post.

Vulnerability bounty programs like The Zero Day Initiative from 3Com/TippingPoint or The Vulnerability Contributor Program fro iDefense compensate individuals who provide them with undisclosed vulnerabilities in applications or operating systems. These bounties vary depending on the severity of the vulnerability, type of application or operating system affected and even amount of potentially affected users. Some of these bounties can be as high as $10,000! 

Welcome to the emergence of the “Vulnerability Marketplace”.  I am not aguing that vulnerabilities should not be found or patched. What I am saying is that there has never been a greater financial motivation for individuals to bang on applications or operating systems for the sole purpose of making money. Making money is never a bad thing but let’s look at a few other tidbits.

Fuzzing. A hot term and topic right now. According to Wikipedia, fuzzing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data (“fuzz”). If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct. A fuzzer is a program that attempts to discover security vulnerabilities by sending random input to an application. If the program contains a vulnerability that can leads to an exception, crash or server error (in the case of web apps), it can be determined that a vulnerability has been discovered. Lately fuzzers are often used as Fault Injectorsfor this reason: they generate faults and send them to an application. Fuzzers can be used for finding buffer overflow, DoS, SQL Injection, XSS, and Format String bugs. Fuzzing has been around since around 1989 but has really been coming into its own in the vulnerability research area. The open source community has been an active developer of some of the best and most powerful fuzzing tools available today.  Tools like AxMan, developed by H.D. Moore of Metasploit fame, used for browser fuzzing, are freely available over the Internet. The well known MoBB (Month of Browser Bugs) proved this tools power. Other popular browser fuzzers include Hamachi, CSS-Die, DOM-Hanoi and MangleMe. All these tools are well documented and freely available, making it easier than ever to find vulnerabilities.

Oh, and by the way, did you know that November 2006 is The Month of Kernel Bugs? Yep, complete with it own fuzzer.  But, I digress. Let’s move on to zero-day. 

The term zero-day is a squishy term.  Let us agree to define zero-day exploits as being  released before the vulnerability — and, sometimes, the vendor patch — are released to the public. It is generally accepted to be calculated from the number of days between the public advisory and the release of the exploit. See Wikipedia for a decent expanded definition.

Part two to follow later today.