Zeroday database puts the squeeze on software vendors

By on

Security vendor launches database of unpatched vulnerability.

Security vendor Eeye has launched a website where the company is publishing an overview of unpatched or so-called 0-day software vulnerabilities that attackers are actively exploiting.

The company feels that publication of the information is needed now that attackers are increasingly expanding their focus beyond Microsoft software, making it harder for organizations and individuals to remain up to date about the latest security threats.

"This allows people to understand what 0-day exploits are out the," Marc Maiffret, Eeye's chief technology officer told vnunet.com. "Part of it is also that we want to put pressure on vendors so they patch the 0-days."

Even if a vendor hasn't yet made a patch available for a vulnerability, users can often protect themselves by using workarounds, he added.

The website currently lists seven security holes that attackers are targeting. Except for one vulnerability in Adobe ActiveX, all the listed flaws affect Microsoft applications.

The data on the website is gathered from security mailing lists and public forums that are frequented by security researchers.

Roger Thompson, chief technology officer with Exploit Prevention Labs, another security vendor, applauded the initiative.

"There are over 300 vulnerabilities that get revealed every month. Only one of them is typically [exploited]. It's easy to loose track of the ones that are being used and which aren't," Thompson told vnunet.com.

But the website could also increase the exposure of unpatched vulnerabilities, effectively creating a one-stop-stop for so-called script-kiddies and other unsophisticated malware authors.

"There is a lot more to it. Releasing things like this isn't always good for the community as a whole," cautioned Rob Ayoub, an industry analyst covering network security markets with Frost and Sullivan.

"It's fine to put some pressure on the vendors if there is a large amount of time [before patches are released], but I'm not always a fan of this. A lot of times it causes more harm than good."

He pointed out that the website publishes the number of days that a vulnerability has been out in the open. While this could push vendors to speed up patch development, it fails to provide a balanced metric of the vendor's responsiveness.

It also remains unclear what the reasoning is behind the severity ratings that the website assigns to each flaw.

Eeye's Maiffret contends that the severity rations are intentionally held non-specific because the impact of a flaw often differs depending on the system configuration. He also disagrees with the notion that his website could put script kiddies on the trail of new vulnerabilities.

"You're not telling them anything that they don't already know. But IT people are left in the dark and aren't on the mailing lists that malware writers and script kiddies read," countered Maiffret.

Eeye markets client security software for enterprises that combines several techniques such as protection against buffer overflow and phishing attacks as well as intrusion prevention, application white-listing and location specific security. The company earlier this year launched a free version of its Blink application for consumers that allows it to gather vast amounts of security data for analysis.
Copyright ©v3.co.uk
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?