For a while now, I have been tracking "undercover vulnerabilities" and exploits. These exploits are a subset of zero day (0day) exploits – while zero day attacks are focused on vulnerabilities that don't have patches, the undercover exploit is focused on vulnerabilities that were unknown prior to the exploit occurring "in the wild." That is, we had no prior knowledge of the vulnerability before the attack took place.
I think this is significant to track because it is an indicator of two things:
- It reminds us that even before vulnerabilities are disclosed they exist in the software, and it is possible that we should be working harder to provide protection.
- It highlights alternative methods for identifying vulnerabilities other than the discover and disclose cycle that occur between bugfinders and vendors today.
There are a handful of other reasons why I think this tracking is important… but I am stuck wondering if this is useful for the community. It is remarkably difficult (and time consuming) to actually trace the origins of an announcement – it essentially involves taking all reports of "0days" and vendors being aware of attacks in the wild, and playing chicken and egg games to try to come to a conclusion.
Currently, the OSVDB has taken up the charge (thanks, Jericho), but I don't think they can do the full root cause analysis required to really get to a solid determination -My list has 21 undercover vulns since 1988 and theirs has 75 (10 in 2009), though I haven't updated mine since last October (did I mention the time consuming part? ).
While I have not executed an all-out full-court press on vendors, the times I did ask for follow-up to see how the vulnerability was discovered resulted in somewhat ambiguous answers about having "no information" or "disclosure agreements" that prevent any discussion about them.
So, if you think the list is helpful, please let me know. And if you are a conspiracy theorist (I can't help but wonder a bit myself) I would be curious to hear why you think vendors are reluctant to provide this information – personally, I think we should care MORE about these vulns and not less.