Update 3: Just found this: http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-06/0360.html. It is an announcement on 6/29/05 on the Full Disclosure mailing list from the original hackers.
Update 2: Adam Shostack references Lemos’ article that asserts the unannounced aspect of the vuln. I cite the original paper here: From page 9-10 of "Automated Web Patrol with Strider HoneyMonkeys", the original paper (at least, I am pretty sure it is): "…In early July 2005, the HoneyMonkey system discovered its first zero-day exploit. The javaprxy.dll vulnerability was known at that time without an available patch yet, and whether it was actually being exploited was a very important piece of information. The HoneyMonkey system was able to detect the first exploit page within 2.5 hours of scanning…
I guess it could have been unannounced – I was keying on the word "known" and since MS had to have known about it earlier than the announcement, it could have been both "known" and still "unannounced" – very interesting.
Updated: Slightly false alarm. The honey monkey work found a working exploit against an announced vulnerability, not an unannounced one. Oh, well, still significant but not quite as much so.
Adam Shostack of Emergent Chaos noted the first zero-day exploit found by Microsoft’s "honeymonkey" project. I could have sworn I blogged about honey monkeys the first time this was mentioned on Securityfocus, but I can’t find a reference.
Regardless, the whole honey monkey process is the kind of ingenuity I expect would flourish if we simply stopped trying to find vulnerabilities "the old-fashioned way".
One note: it was a bit surprising to me to see Adam note that "We’ve always known that there’s lots of exploit code for unannounced vulnerabilities out there." I don’t know exactly where Adam comes by this, but I can think of three scenarios: 1) he is a super-secret undercover "white hat" who sees lots of this and isn’t allowed to tell anyone; 2) he spends part of his time "on the dark side" with Eddie and the Cruisers; or 3) it is complete b.s.
A warning for security professionals: It is common in our profession for folks to make claims that they can’t possibly substantiate and assert them as fact. It is that kind of rhetoric that fosters the same type of groupthink mentality that got us into Iraq (note: please don’t try to read any political convictions into that last statement, as I can assure you, you’d be wrong.) Reference: James Surowiecki’s "The Wisdom of Crowds" and a host of other material that explains human psychology gone awry.
Always ask the next question – "how do you know?"
Ummm, from page 2 of Lemos’ article:
If Adam had written “We’ve always expected that there’s lots of exploit code…” – would you have been fine with that?
Anything that indicates suspicion or belief rather than fact is fine w/ me. Of course, he may have facts, but my experience has been that that is unlikely.
To clarify: it is unlikely for anyone in our profession to have details (not a swipe against Adam).