Releasing zero-day exploits to sell a product?

Releasing zero-day exploits to sell a product?

Summary: As companies are still picking up the pieces from the Zotob worm and its malicious siblings, a French information security company that sells early exploit warning services has released a zero-day exploit that attacks all versions of Microsoft Internet Explorer.  The same company also released exploit code for the Windows PNP (Plug and Play) vulnerability less than 24 hours after Microsoft released a fix which led to the birth of the Zotob worm 5 days later.

SHARE:
TOPICS: Security
85

As companies are still picking up the pieces from the Zotob worm and its malicious siblings, a French information security company that sells early exploit warning services has released a zero-day exploit that attacks all versions of Microsoft Internet Explorer.  The same company also released exploit code for the Windows PNP (Plug and Play) vulnerability less than 24 hours after Microsoft released a fix which led to the birth of the Zotob worm 5 days later.  Many companies running Windows 2000 were not prepared to patch their systems on such short notice and they were hit the hardest.  The release of this new exploit is even more alarming since it affects all instances of Internet Explorer and Microsoft has not had a chance to release a patch for this exploit.

Microsoft responded by issuing an emergency security advisory which offers some temporary workarounds to the issue.  Since the instructions are a little confusing for the average user, I wrote this explanation and some scripts to automate the Microsoft workaround and SANS wrote their own set of utilities for automating this temporary fix the same day.  I would highly recommend that everyone apply the temporary workaround since the exploit code is out in the wild.

Last month when Cisco sued Michael Lynn for simply talking about a Cisco vulnerability that was supposedly already patched by Cisco, I defended Lynn because Cisco had plenty of fair warning and Lynn wasn't releasing any actual exploit code.  This case is the exact opposite because a company is releasing the actual exploit code without giving the software maker any time to issue a fix and they're doing it in a way to benefit their own business which borders on a "protection" racket.  Since the company is located in France, legal challenges are a bit tricky.  It's mind boggling that this sort of thing is even allowed in a civilized world governed by the rule of law.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

85 comments
Log in or register to join the discussion
  • Maybe you should name names.

    Would anyone hit by this zero-day exploit ever want to spend money on the company that caused the problem? Knowing the source would prevent future mistaken purchases.

    Is there anyone so foolish as to support or encourage behavior like this?

    Releasing code to those who can and will use it is the nuclear option of software flaw notification. Any company that makes it the first resort should be boycotted.
    Anton Philidor
    • I considered that

      ...but they'll probably end up getting free publicity for it. Then again, the other media outlets have named then.
      george_ou
    • zdnet has to be careful after google got all pissy. (nt)

      .
      hehehehe
      Valis Keogh
  • I would think that this action...

    is borderline criminal. What anti-exploitation laws does France have and why would this not be considered as such? In my opinion, it's a basic form of racketeering.
    jtnixon
    • Racketeering

      It has nothing to do with the French or French law. There are others that do the same. This is part of the 'Windows ecosystem' that Microsoft created.
      jacco
      • It's happening in France....

        1) What George tells us in his article is that specific 'Zero' day exploit releases are coming from France. That is not to say that France is particularly evil or that the US is any better (does anybody know with regard to zero day exploits?). However, enforcable laws and regulations are generated in specific countries and it looks to me like 'zero' day exploits are ripe for regulation.
        2) A 'zero' day exploit for Linux would probably be more damaging than one for M$. Linux is closer to the big data centers than M$. OSS cleans up problems quickly but everybody has problems.

        PS: The machine I using now runs Linux. My other 3 'personal' computers run XP SP2.
        palmwarrior
      • Anti Racket

        Oh yes. This is a Windows issue. Like breaking and entering your home is an issue for the carpenters. Get real. The company is releasing the tools for breaking and entering. That is all the tools are good for. They need to be locked up along with the jerk that actually used the exploit.

        WJS
        wjs_z
      • But nothing prevents them from doing this to Linux or Apple

        This has nothing to do with Microsoft or their ecosystem. MS is a very attractive target because it is what the vast majority of people use.

        Apple just release over 40 patches for OS X. There are plenty of vulnerabilities on Linux and OSS that are being patched every month, many more than Microsoft software.
        george_ou
        • Nice FUD

          Too bad there really aren't any FACTS to back you up. windows is
          the most flawed and insecure OS available to date. As well as the
          most expensive OS you can buy. But being you're a diehard NBMer,
          I would expect you to want to spread the FUD.
          Rick_K
          • What specifically are you disputing?

            All the examples of other software makers producing more buggy software are factual. All you?ve done is throw words like FUD and NBM around, but what specifically are you disputing?
            george_ou
  • Thanks, George

    First off I just wanted to say thanks George for putting this information up for us. I already have everyone at the company I work for running the SANS utility. Good work. Also, keep up the good work with your articles in general. I am surprised though that the bashers havent arrived and I am waiting for all the *nix users to use something you posted in good faith to help many of us out here who do have to support and secure Windows to start their MS bashing party. Good thing you, Anton, and No_Ax_To_Grind are out here presenting the facts.
    B.Beck
    • Great to hear this is useful

      Had I known that SANS was working on a workaround patch, I wouldn't have written my version of it:).

      You're on top of things if you're already applying the workaround.
      george_ou
      • Denile

        Scripts and patches again? Is this realistic? Is it worth
        reexamining your larger position in all this? As your supporter
        states "for those of us that have to use Windows...". What's
        wrong with this picture? At what point did business subvert it's
        own right to choice?

        It's clear that the righteous indignation over vulnerability
        publication won't go far. It's also clear you've taken some
        initiative to remedy the situation. Do you see this as your role? Is
        it ongoing? Can we expect George Ou patches for vulnerabilities
        in future and are you to be compensated for this?

        A script to help with Microsoft's convoluted instructions is about
        as pro-active as it gets. But ask yourself, how is it we've gotten
        to the point we have to count on symathetic third parties like
        yourself. Hardly ideal. At some point in the future it might occur
        that stepping out of the water is a better solution than trying to
        fight the tide.
        Harry Bardal
        • How bug free is the alternative?

          Apple released over 40 patches this month.

          Firefox released a few dozen patches the last few months.

          Don't talk to me about stepping out of the water until you can show me something better.
          george_ou
  • Lame

    "Many companies running Windows 2000 were not prepared to patch their systems on such short notice and they were hit the hardest."

    Are you kidding me? They weren't prepared to pathc systems that system admins have had in place for several years at this point. I would like to know the actual excuses these companies gave you for stating that they were "unprepared" to patch their machines on a mass scale.

    Any of those companies can ask me for my resume btw.
    hagrin
    • Keep your resume

      Compentent administrators test fixes before implementing them. The larger the enterprise, the more diverse the client systems. The more diverse the client systems, the longer it takes to test the patch. It is NOT safe to assume that all security updates can be blindly applied with no adverse effects. Hence if the exploit code is released, a worm is developed and released and begins to spread within 24-48 hours of the patch being released, it is NOT reasonable to expect admins to have the patch applied. Thus the need for a security infrastructure in the enterprise, and not putting all your eggs in the patch basket. Competent admins don't blindly apply patches, and good admins don't depend on them for security.
      Real World
      • Ok ...

        I'm pretty sure you just made my point for me.

        SANS released information about the IDS signature of the worm, what ports it traveled over, etc. I don't think I ever said "patch blindly" and as an IT manager, your response is one that I would expect. Patching isn't the only course of action in these situations and this is why being unprepared for something like this (especially when SANS went yellow the day before) is just unacceptable.

        Security demands that (at the very least):
        1) Admins have an understanding of what runs on their network and dependencies among machines.
        2) A proper testing environment to simulate network changes
        3) Attention to detail when it comes to security related issues with open lines of communication.
        4) Ability to assess risk vs. reward.

        Take for example the msdds.dll exploit. It was one registry setting that needed to be pushed to users to prevent the exploit from runing on vulnerale machines. Or the Remote desktop DoS which required users not to patch their machines, but create an ACL - something that should have been done in the first place.

        These worms are just an example of lax internal security where network admins believe that since they have a firewall, they are immune to potential internal issues. Too many users have laptops that plug into external networks that are carried back into the internal environment. It's clear that the foresight wasn't there to secure the internal network in the first place and second that the warnings sent out by SANS were not heeded by everyone.
        hagrin
        • in MJB's defense...

          You are right about what you said, but you saying it, and doing it are 2 different things. it's all well and good you think you have an idea of what you could have done to keep this network up and running that you speak of, but the point is, you talking about it, and actually doing it are 2 seperate things. It's easy to say when you don't have a job(your resume statement gives this away) and you're not running around fixing other fires throughout an office, testing patches, etc. It's a great idea, trust me, but when you support over 600 people and have a small IT team, things get put on the backburner to do things that need to be done right now. Sorry to say, thats just the way it is, not all companies are small and have the right amount of IT people needed to support everyone at once, it happens.

          I like this little comment from you:
          "I don't think I ever said "patch blindly" and as an IT manager, your response is one that I would expect."

          very interesting, but he has a job and you have to offer your resume over a talkback. Apparently he does do his job well enough, he has one.
          Monkey_MCSE
        • You took exception to the statement

          [i]"Many companies running Windows 2000 were not prepared to patch their systems on such short notice and they were hit the hardest."[/i]

          I provided good reasons that people are not prepared to patch their system in the case of a one-day exploit. The rest of your repsonse (which is in contrast to your original post) is the jist of what I was saying.
          Real World
        • LOL

          Well you would think that some one with out a job could break people down better... I mean with all the time on your hands apparently you should have read and reread your first post then responded... reading your second post it seemed to me that you left your computer and some one with no idea what you said the first time sat down and replied to the last post... Gee man I hope your resume is a little more thought out then this.

          www.fedexkinkos.com < Ideal for giving *weak* resumes and pathetic posts a once over before you make an ass out of your self.
          Ishkaboo