The responsible
disclosure of security flaws in software from suppliers is
being undermined by hackers being paid to find bugs and using this
information to create
exploits.
According to security software supplier
Trend Micro, criminals are prepared to pay large sums for new
software flaws in popular products.
The system works by creating exploits as soon as software
suppliers release security bulletins. The information provided by
the bulletin will generally describe in detail where the flaw
occurred, providing a lead for hackers to create programs which
they can sell to
organised crime and fraudsters.
Trend Micro said that newly discovered Vista zero day exploits
have been auctioned for £2,500, with
XP vulnerabilities reaching £3,800.
According to Uriel Maimon, a senior researcher at security
software supplier
RSA Security, Windows security flaws are being sold on the open
market, just like phishing kits and Trojans - with unpublished
zero day exploits for Windows selling for £1,000.
A spokesman for the Serious Organised Crime Agency confirmed
that
malware attacks were rising, and that the agency had seen
evidence of exploits being produced by organised crime for
financial gain.
The problem is not just limited to the UK. The FBI also
estimates that spyware and other computer-related crimes caused
£32bn of damage to US businesses in 2005.
The problem has gained attention because of Microsoft's decision
to delay until last month a security update for a vulnerability
(
the animated cursor exploit) it had known about since 2006. As
a result of hackers targeting the flaw through a zero day attack,
some users installed free third-party fixes, which were made
available earlier.
Security software supplier
eEye Digital Security provided an unofficial patch last year to
this Microsoft vulnerability and received 70,000 downloads in three
days. The increase in zero day attacks is one reason users have
been unwilling to wait for official updates.
The early availability of third-party patches gives rise to the
question of why Microsoft - with the best knowledge of and access
to the source code - takes longer than volunteer programmers to fix
the problem.
Microsoft said that creating security updates that fix
vulnerabilities is an extensive process, and factors influencing
the speed of the process include conducting a risk assessment on
the affected product and testing it.
"Once the update is built it must be tested with the different
operating systems and applications it affects, then localised for
many markets and languages across the globe. In some instances,
multiple suppliers are affected by the same or similar issue, which
requires a coordinated release," said a Microsoft spokesman.
However, Alan Shimel, chief strategy officer at security
supplier
StillSecure, said, "The most recent patch by eEye was so widely
downloaded because there were real attacks in the wild exploiting
this vulnerability, and Microsoft did not respond quickly enough.
Users have a legitimate right to download a third-party patch."
Shimel advises using third-party patches with caution, but said
that if suppliers did not release patches quickly enough, the whole
responsible disclosure system of vulnerability research falls
apart.
Raimund Genes, chief technology officer for
anti-malware at Trend Micro, said that if Microsoft did not
change the way it issues updates to take into account these types
of attacks, it would leave its customers vulnerable.
Bill Nagel, security analyst at Forrester Research, said zero
day attacks are getting nastier and better organised, and he
expects to see more third-party patches being released before the
software supplier releases an official patch.
As a lot more exploits are also being released on Patch Tuesday
(or the day after), Nagel said IT security managers should draft
plans to deal with zero day attacks. "
Determining a realistic threat level is important in the current
example, this will give security managers guidance on whether to
apply an unofficial patch or wait for the official Microsoft
response."
Nagel warned that if users applied an unofficial patch, they
would need to uninstall it before installing the supplier's
official patch. He also recommended that they only download a
third-party patch signed by a trusted source.
"If possible, audit the source code yourself to ensure that it
does only what it claims to do - otherwise, your patch might
contain a Trojan worse than the flaw it claims to fix."
Computer Weekly blogger and former chief security officer at the
Royal Mail, David Lacey, said, "By dowloading third-party fixes you
are substituting one risk for another. As long as you understand
what can go wrong, it is fine. That is what risk assessment is all
about. But personally, I would be a little worried about the
consequences."
Microsoft said it carefully reviews and tests security updates
and workarounds to ensure their quality, but the company could not
provide similar assurances for independent third-party security
updates.
Microsoft urged
to scrap Patch Tuesday >>
Free web threats download from Trend Micro >>
eEye Digital Security: vulnerability
database >>
Serious Organised Crime Agency
>>
The Federal
Bureau of Investigation: IT >>
David Lacey's
security blog
Managing security from one of the UK's leading security experts
Comment on this article:
computer.weekly@rbi.co.uk