Zero-Day Vulnerabilities On the Market

An anonymous reader writes "Zero-day vulnerabilities have become prized possessions to attackers and defenders alike. As the recent China-Google attack demonstrated, they are the basis on which most of the successful attacks are crafted these days. There is an underground market growing around these vulnerabilities, but there are also 'white markets' — set up by VeriSign, TippingPoint, Google — where they buy zero-day flaws and alert the companies so that they can patch their products before the vulnerabilities can be taken advantage of."

Good to know

[Anonymous Coward]

I always appreciate the clarification that a growing market is growing.

Re:I'm surprised white markets aren't more common

[adonoman]

It'd work great until a few farmers, who sold to the government instead of the local underground, wind up dead.

"Zero-day" is just noise

[Imagix]

OK, this is a pet peeve of mine, but why the heck do these get called "Zero-day vulnerabilities". Yes, I understand that the definition is that the zero-day refers to the time between the vulnerability is made public and the time that an exploit is made available. However, I don't get why this needs an additional moniker on top of being a vulnerability in the first place. Don't most of the vulnerabilities have an exploit the same day that the vulerability is published (wouldn't you want to have a proof of concept that the vulnerability exists, I'd assume one was created.)? I haven't heard of many "7-day vulnerabilities". So why isn't the "zero-day" thing implied? If a vulnerability is exposed and there is no exploit available, the vendors already make statements such as "there are no known exploits for this". Where I would think that the "zero-day" moniker would actually add some information is if the vulnerability is exposed on the zeroith day of release of the product in question. _That_ would be something to give a special name to. That would mean that the developer has botched it so badly that it didn't even take 24 hours before someone found a hole. As it is now (IMHO) the "zero-day" moniker is simply being alarmist and only trying to add sparkle to the term, and carries no significant information.

... you are sadly mistaken

[thijsh]

You seem to be under the impression that the war (on drugs) has anything to do with logical reasoning...
It's a great idea though, and I bet it will in fact work *and* be cheaper.

Re:I'm surprised white markets aren't more common

[L4t3r4lu5]

Buying products other than opium, i.e. incentives to plant other crops would be better.

On another point, don't you think the Taliban might be a little irritated by this and, ooooh I don't know, cut off some farmers heads? I hear they've been known to do that to make a point.

Re:I'm surprised white markets aren't more common

[swb]

We can incentivize the growing of other crops, too, but we should also be prepared to buy up the opium crop.

The alternative is destroying the opium crop; this impoverishes the farmer further, destroys his livelihood and causes him to not just grow opium, but join the Taliban.

Re:"Zero-day" is just noise

[bsDaemon]

I always thought 0-day should refer to time between the software itself is releasedand an exploit is found. Frankly, that would make more sense and that's the type of vulnerability that would actually be somewhat impressive as well as potentially devastating. If a piece of software has been floating around for a few months and then an attack against it is announced, I assume that the vector has been exploited already without an announcement and am hardly surprised that a vulnerability has been found by that point in time.

Re:I'm surprised white markets aren't more common

[Anonymous Coward]

I know you are being flippant but your average Afgani (or any muslim) doesn't think in terms of "christian infidels", that is the kind of talk you get from radical mullahs, talk show hosts, or rednecks. Depending on their education they are more likely to think "here are non-muslems who are going to try to take over and get us to convert like they did during the crusades, or the British...". Most people are just like you and me, they just want to be left alone, be relatively comfortable, not be afraid all the time, and be with family and friends.

Re:I'm surprised white markets aren't more common

[Yvanhoe]

The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.

Re:I'm surprised white markets aren't more common

[Jenming]

I bet the Opium would still reach the consumer at comparable prices.

The Opiate trade does not exist because of Afghanistan farmers or the Taliban, it exists because consumers really want Opiates.

Re:I'm surprised white markets aren't more common

[ratboy666]

The Taliban sells heroin?

Um... no. In July 2000, Mullah Omar ordered a ban on poppy cultivation. As far as I know, this hasn't been lifted. Other members of the Northern Alliance are responsible.

I presume you are a US citizen; please know your enemy. The Taliban may be at war with the US, but they are even harder on drugs. It is about as conceivable as Pat Robertson selling heroin to fund Christian Outreach.

Re:Be careful.

[SeePage87]

Maybe. The interesting thing is that the exploit is both the attack also what is needed to fix it. There's a credible threat that others may use the same exploit, not just the one who found it. A company who did this openly, whose founding documents declare they only sell software vulnerability information with the software's creator, whose NDAs included clauses that they will never share this information with others in to perpetuity regardless of the potential client's decision on whether to buy the information... I think they could develop a defensible case and eventually a trusted brand image. Just because a company sells fire insurance doesn't mean they're really threatening to commit arson.

Re:I'm surprised white markets aren't more common

[_Sprocket_]

The taliban are actually opposed to drugs production. While they were in power, the area of opium cultures fell down incredibely quick. It came back thanks to the war. The drugs lords are a faction different from the talibans.

Which is all nice and fine as long as the Taliban remains in control. But what happened after?

There are reports that the Taliban are now involved in the drug trade again. Despite the use of this as obvious propaganda, it isn't that far fetched as the Taliban initially hadn't had a problem with opium since it was a drug for foreigners (hashish was another matter). Of course, it's also very likely that the Taliban is only one of many players in the increased trade. Narcotics is a major industry and quickly becomes prominent in any unstable environment. It becomes a vehicle for not only criminals and warlords but other traders in power to include intelligence agencies and legitimate businesses.