Is warehousing vulnerabilities ever right?
Is warehousing vulnerabilities ever right?

The fallout from the WannaCry attack continues to spread fear, uncertainty and doubt across the globe. However, there are a couple of interesting issues that have emerged from this pretty unprecedented (in scale at least) cyber-attack, so we set out to discover, is vulnerability hoarding ever acceptable, and ditto for the patches that fix them?

Here's the thing: despite all the government denials over the years, pretty much everyone and their aunt in the security business knows that it isn't just the criminal element that swallows up zero days.

Stuxnet put that particular argument to bed a few years back now.

Pertinent to this case, the EternalBlue vulnerability exploit that had been hoarded (along with others) by the NSA swiftly bit them and us on the behind by enabling the rapid spread of WannaCry (or WannaCrypt0r). You could blame the Shadow Brokers group for releasing the code, although it's more tempting to blame the lack of code security at an agency – which has an S in its name, after all.

So what does the industry think about the whole state-sponsored hoarding of vulnerability data? SC Media has been asking if national security surveillance capability should take priority over the data security of citizens?

Owen Connolly, EMEA VP at IOActive doesn't hold back when he says "anyone who stockpiles these kind of vulnerabilities, and thinks they can keep it quiet in this day and age, is seriously deluded and shouldn't be trusted with a keyboard".

Corey Nachreiner, CTO and security researcher at WatchGuard, is adamant that "governments that stockpile zero-day vulnerabilities are putting their citizens and the world far more at risk that outweighs any value in exploiting those vulnerabilities for so-called good reasons". His argument being that software vulnerabilities have a habit of always surfacing at some point.

Christine Runnegar, director of security and privacy policy at the Internet Society, agrees, telling SC Media, "Zero-day vulnerabilities might initially seem like attractive tools in the fight against cyber-criminals, but as long as they exist they pose a real and imminent threat to hundreds or thousands of innocent users."

Not everyone is so convinced though. Take Javvad Malik, security advocate at AlienVault, who says, "It's reasonable to accept and expect that state actors will buy and hoard zero-days to further their objectives."

Malik doesn't  believe it's a choice of whether surveillance capabilities should take priority over the data security of citizens. "The question is that, should governments be more careful and diligent in how they protect zero-days and have established vendor relations to disclose when appropriate?" he says, before answering with an "absolute yes."

Meanwhile, Simon Edwards, European cyber-security architect at Trend, offers an alternative solution: paying better bounties. "Through the TippingPoint created Zero Day Initiative set up in 2002, we provide an active vulnerability bounty programme which encourages vulnerability researchers to make money legitimately rather than selling to the highest bidder."

OK, so what about our other question regarding the hoarding of exploit patches? This may seem like an odd thing to hoard, and we would agree with you. It's all to do with timing more than anything.

When Microsoft cancelled the Patch Tuesday before last it meant everyone had to wait an extra 28 days to get protected from threats almost certainly in the wild. When it released a patch for older, non-supported, systems such as XP to deal with the SMB v1 threat posed by the WannaCrypt0r attack, eyebrows were also raised. Mainly as the security industry grapevine suggests this patch was actually available before the attack took hold, but not released until afterwards.

One thing is sure, Microsoft was well aware of the SMB v1 vulnerability and the critical nature of the threat. The MS17-010 critical patch in March proves that.

So why wait until after the WannaCrypt0r attack to release the fix for older Windows systems which could have lessened if not actually stopped the spread?

Adam Govier, senior security consultant at SureCloud, told SC, "Although there is speculation that the XP and Server 2003 patches had already been created for MS17-010 in March (and were unreleased), both government and private sector organisations have had advanced warning of the end-of-life for these OSs and migration plans ideally should have been put into effect by now to ensure a strong security posture."

He has a point, of course. One that is picked up by Brad Hegrat, director of advisory services at IOActive. "I think Microsoft deserves kudos for doing the right thing, although it definitely falls under the category of no good deed goes unpunished," he said.

And Thomas Fischer, threat researcher and security advocate at Digital Guardian, reckons, "Even if a patch had been available, it's unlikely the impact would have been lessened. Let's face it, if companies and individuals were doing the right thing in the first place, they would not need a patch as they would not have vulnerable systems."

We will leave the last word with Chris Boyd, lead malware intelligence analyst at Malwarebytes, who told SC Media, "We can only guess at why Microsoft took the steps they did, but they're in a tricky position as realistically organisations using XP won't abandon it anytime soon. By the same token, if they're seen to keep the OS on life support, we may be stuck with it forever."