I had pie on my face this weekend. Literally. As in, I was supporting the Relay for Life at our Little League’s opening day ceremony on Saturday and had 8, 9, and 10 year-olds throwing whipped cream sponges at me. Ouch. Should have invited a few Internet security pundits – would’ve made a mint
Timing can be interesting sometimes. On Friday, Dave Maynor over at Errata Security suggested that I should have pie all over my face because of the latest DNS 0day. He asserts that I was a naysayer about the existence of 0days. Dave goes on to say that there have been "numerous 0day attacks that have popped up in the last few years."
I am not clear whether he uses the term 0day in the currently popular way – to describe a known vulnerability without a patch – or the old way – to describe a real-world exploit against an "undercover" vulnerability that wasn’t generally known. I have started calling them "in-the-wild exploits against undercover vulnerabilities" in an attempt at clarity. In any case, I will be talking about the latter class of exploits/vulns. My latest list identifiess 18 of them since 1988.
The following points might make my position clearer:
- I never believed undercover exploits were nonexistent. My position was then (and is now) that they don’t exist in volume anywhere near the number indicated by other security folks. David’s statement that they are now "numerous" is laughable in light of the raw numbers we are talking about (around 20 in as many years, though probably 8-10 of those have come fairly recently).
- These vulns are the most significant to any organization – after all, they are in the wild. To the extent that there really are many more out there (presumably the people that have first hand knowledge of these things are withholding the information) we should be focused clearly on these. It appears that in cases where the vulnerability is most important (it is being exploited) the security world is less likely to know about it. Ouch.
- With the number of undercover exploits increasing, one has to wonder about the veracity of the claim that bughunting is useful. Heck, 0days are increasing – I take that as a key indicator that they are failing on the bugfinding front (no surprise there as it is an impossible task).
- Every time one of these is found, it proves that they can be found. I know that sounds strange, but there are many people out there that still believe you can’t find a 0day exploit; you must find the vulnerability first. This demonstration of success should be our bellwether for the future.
That’s all for now. More later when someone brings up the point that there would be so many, many more of these if we weren’t out hunting bugs.
why don’t you count ANI? It’s a different code path than the 2005, and that makes it new, otherwise you can’t count your sendmail for instance.