[VIM] New Classification: Discovered In the Wild

security curmudgeon jericho at attrition.org
Tue Feb 12 17:38:54 UTC 2008


New Classification: Discovered In the Wild
February 12th, 2008

In a recent discussion on the security metrics mailing list, Pete
Lindstrom put forth a rough formula to throw out a number of
vulnerabilities that have been discovered versus undiscovered. One of the
data points that he cited lead me to his page on undercover
vulnerabilities, his term for 0-day in a certain context. Since the term
0-day has been perverted to mean many things, he clearly defines his term

   Undercover Vulnerability: A vulnerability that was generally unknown
   (e.g. not published on any lists, not discussed by above ground security
   folks) until it was actively exploited in the wild. The vulnerability
   was discovered through evidence of tampering or other means, not through
   the usual bugfinding ritual.

In my reply challenging some of his numbers, I specifically said that if
we consider that your number 20 is off by at least half, and I would
personally guess its more like a small fraction, how does this change your
numbers? Pete took this in stride and offered to buy me a case of beer if
I could find half a dozen that he didnt have. Not one to pass up free
booze and vulnerability research (yes, im weird) I spent several hours
Friday doing just that. I ended up with 24 vulnerabilities that seemed to
match his definition, roughly half of them in his time frame (in the last
two years).

Petes page got me wondering just how many vulnerabilities classified as
undercover by his definition. Further, I thought about another question he
asked on his page:

   I am open to suggestions on an easy way to do this with TypePad
   (TypeLists, maybe?). Else, Ill just periodically update as new vulns
   become available.

I cornered our lead developer Dave and said "make it so" while I mailed
Pete asking if OSVDB could help in this effort. As a result, we now have a
new classification that we call Discovered In the Wild that means the same
thing as Pete's undercover vulnerability. I have updated the 20
vulnerabilities listed on his page and added the flag to the ones I
researched. This now shows 43 results which is good progress.

Not content with that, I asked a fellow geek who has a world more
experience with IDS, NOC management and various devices that would be
prone to catching such vulnerabilities how many do you think were found
this way last year, to which she replied "at least 50?". So vulnerability
researchers and OSVDB contributors, its up to you to help out! We're
looking for more instances of vulnerabilities being discovered "in the
wild", being exploited and subsequently disclosed (to mail list, vendor,
whatever). Please cite your source as best as possible.

To see what we have so far:

    1. http://osvdb.org/search/advsearch
    2. Under Vulnerability Classification and Disclosure
    3. Check Discovered in the Wild
    4. Search

Thanks to Pete Lindstrom and the Security Metrics mailing list for the
input and great idea for a new classification!

More information about the VIM mailing list