Security researchers 'aiding' cyber-crooks
By
Andrew Charlesworth
31 July 2008 07:57AM
Tags:
security | researchers | aiding | cybercrooks
Security researchers should stop publishing vulnerabilities in the traditional way because cyber-criminals are using the code to generate zero-day exploits at record speeds, says a recent report.
The mid-year Trend Statistics report from IBM's X-Force team shows that cyber-criminals are using automated software tools to launch zero-day exploits more quickly than ever before.
The report claimed that 94 per cent of all browser-related online exploits occurred within 24 hours of official vulnerability disclosure.
The practice of disclosing exploit code along with a security advisory is accepted practice for many security researchers.
However, according to the X-Force report, vulnerabilities disclosed by independent researchers are twice as likely to have zero-day exploit code published.
IBM believes that this calls into question how researchers practise vulnerability disclosure, and highlights a need for a new standard in the industry.
"The two major themes in the first half of 2008 were acceleration and proliferation," said X-Force operations manager Kris Lamb.
"We see a considerable acceleration in the time a vulnerability is disclosed to when it is exploited, with an accompanying proliferation of vulnerabilities overall."
Lamb warned that, without a unified process for disclosing vulnerabilities, the research industry runs the risk of actually fuelling online criminal activity.
"There is a reason why X-Force does not publish exploit code for the vulnerabilities we have found, and perhaps it is time for others in our field to reconsider this practice," he said.
Copyright © 2008 vnunet.com