The research behind these critical flaws, and the ensuing exploit codes, sometimes leads through the seedy black market, where everything seems to have a price, experts say.
"If I've got a vulnerability that is remotely exploitable and allows me access on a system, that's clearly valuable," says Vincent Weafer, senior director at Symantec Security Response. "And people are willing to pay for that."
Although a market for vulnerabilities could encourage more security research — thereby making systems safer — the power of greed among discoverers is worrisome, according to Symantec's Internet Security Threat Report.
"This could have profound implications for organizations and end-users, as vulnerability information will be given a financial value that may motivate researchers to sell that information on the open [or black] market to the highest bidder, rather than disclosing them publicly on mailing lists or websites."
According to the Symantec report, there were 1,896 new vulnerabilities between July 1 and December 31 of last year, and total vulnerabilities in 2005 increased by 40 percent from the prior year. Bots are increasingly being used to exploit these flaws, it notes.
"People understand that a vulnerability of an operating system affects millions and millions of users," says Shane Coursen, a senior technical consultant with Kaspersky Labs. "Vulnerabilities have become very popular because they're a great vector to get those viruses spread around quickly to a massive number of computers."
The power of a vulnerability was exemplified when Russian hacker groups sold the exploit for the zero-day Windows Metafile vulnerability for $4,000 on the black market, as Alexander Gostev of Kaspersky revealed in January. The flaw led to panicked customers and forced Microsoft to hurry an out-of-cycle patch.
"We don't know who was the first to discover the vulnerability. We only know who was involved in creating and distributing the exploit and subsequent modifications," Gostev says. "The data we have, plus the Russian involvement, make it clear that information about the vulnerability was not passed to companies, such as eEye or iDefense, which specialize in identifying vulnerabilities."
Follow the money
VeriSign's iDefense and 3Com and its TippingPoint division's Zero Day Initiative are two leading programs that offer monetary prizes to security researchers for the responsible disclosure of vulnerabilities. Once considered free-flowing, critical information about major flaws now is being kept under wraps until a check is cut, says Charles Renert, director of security research at Determina.
"Now that the good guys can make money, they don't share," he says. "Everyone is out for themselves."
These compensatory services, however, have drawn criticism from some vendors, including Microsoft, who charge that the reward programs keep critical information from them.
"Microsoft works closely with many security research and security software companies and does not believe that offering compensation for vulnerability information is the best way they can help protect their customers," says Stephen Toulouse, project manager of Microsoft Security Response Center.
"Microsoft believes that responsible disclosure, which involves making sure that an update is available from software vendors the same day the vulnerability is first broadly known, is the best way to protect the end-user."
Yet while the vulnerability information may not be going directly to the vendor, at least initially, it is staying out of the hands of malicious hackers, says David Endler, director of security research at 3Com's TippingPoint. Besides, many researchers prefer not to deal with vendors, he says.
"We are purchasing the rights to their IP and their exploit code so we can buy the vendor some time and protect our customers at the same time," he says. "We're able to protect our customers with intrusion prevention systems on the same day as we disclose to the vendor."
However, according to a report by the National Infrastructure Advisory Council released in January 2004, vulnerability discoverers "should first attempt to contact the vendor directly."
"Many vendors have highly visible and well-known contact points for reporting security issues; unfortunately, many others do not," the report says. "If the discoverer cannot identify the correct channel for communicating security issues, he or she should contact a coordinator (such as CERT) for assistance. If it is not clear who within a vendor's organization will be handling a vulnerability, the discoverer should not send full technical details unless an initial response has been received."
TippingPoint pays researchers based on a sliding scale depending on the flaw's severity, but 3Com's Endler would not give away dollar values. He says the compensation is enough that a upstanding discoverer would resist the urge of going to the black market.
"To be very honest, our rewards program is such that most people who come through our program wouldn't even be attracted by an underground market," he says. "Security researchers legitimately want credit. They're not going to get credit if they sell to an underground market."
That is not an incentive, however, for hackers who "will not get paid anywhere near as much" from companies such as iDefense and 3Com's Zero Day Initiative as they would on the black market, Renert says.
Bad days ahead?
Kaspersky Labs' Coursen, though, does not forsee a flurry of new activity in the underground market, despite headlines that the WMF exploit originated there.
"The black market has always been there," he says.
But Symantec remains concerned.
"If vulnerability research becomes increasingly marginalized and moves further underground, enterprises, customers and small businesses could face longer windows of exposure, thereby increasing their exposure to potential threats," according to the Symantec report.
"These are not the good guys," Weafer says. "These are not the researchers. You're talking about people and groups who are saying, 'I can make money.'" n
We welcome your comments. Email us at scfeedbackUS@haymarketmedia.com.