[Infowarrior] - A Lively Market, Legal and Not, for Software Bugs

[Richard Forno]

January 30, 2007
A Lively Market, Legal and Not, for Software Bugs
By BRAD STONE
http://www.nytimes.com/2007/01/30/technology/30bugs.html?ei=5094&en=8a3ee799
331ee282&hp=&ex=1170133200&partner=homepage&pagewanted=print

Microsoft says its new operating system, Windows Vista, is the most secure
in the company¹s history. Now the bounty hunters will test just how secure
it is.

When its predecessor, Windows XP, was released five years ago, software bugs
were typically hunted by hackers for fame and glory, not financial reward.
But now software vulnerabilities ‹ as with stolen credit-card numbers and
spammable e-mail addresses ‹ carry real financial value. They are commonly
bought, sold and traded online, both by legitimate security companies, who
say they are providing a service, and by nefarious hackers and thieves.

Vista, which will be installed on millions of new PCs starting today,
provides the latest target.

This month, iDefense Labs, a subsidiary of the technology company VeriSign,
said it was offering $8,000 for the first six researchers to find holes in
Vista, and $4,000 more for the so-called exploit, the program needed to take
advantage of the weakness.

IDefense sells such information to corporations and government agencies,
which have already begun using Vista, so they can protect their own systems.

Companies like Microsoft do not endorse such bounty programs, but they have
even bigger problems: the willingness of Internet criminals to spend large
sums for early knowledge of software flaws that could provide an opening for
identity-theft schemes and spam attacks.

The Japanese security firm Trend Micro said in December that it had found a
Vista flaw for sale on a Romanian Web forum for $50,000. Security experts
say that the price is plausible, and that they regularly see hackers on
public bulletin boards or private online chat rooms trying to sell the holes
they have discovered, and the coding to exploit them.

Especially prized are so-called zero-day exploits, bits of disruption coding
that spread immediately because there is no known defense.

Software vendors have traditionally asked security researchers to alert them
first when they find bugs in their software, so that they could issue a fix,
or patch, and protect the general public. But now researchers contend that
their time and effort are worth much more.

³To find a vulnerability, you have to do a lot of hard work,² said Evgeny
Legerov, founder of a small security firm, Gleg Ltd., in Moscow. ³If you
follow what they call responsible disclosure, in most cases all you receive
is an ordinary thank you or sometimes nothing at all.²

Gleg sells vulnerability research to a dozen corporate customers around the
world, with fees starting at $10,000 for periodic updates. Mr. Legerov says
he regularly turns down the criminals who send e-mail messages offering big
money for bugs they can use to spread malicious programs like spyware.

Misusing such information to attack computers or to aid others in such
attacks is illegal, but there appears to be nothing illegal about the act of
discovering and selling vulnerabilities. Prices for such software bugs range
from a couple of hundred dollars to tens of thousands.

Microsoft is not the only target, of course. Legitimate security researchers
and underground hackers look for weaknesses in all commonly used software,
including Oracle databases and Apple¹s Macintosh operating system. The more
popular a program, the higher the price for an attacking code.

The sales of Vista faults will therefore continue to trail the sale of flaws
in more widely used programs, even Windows XP, for the foreseeable future.

³Of course it concerns us,² Mark Miller, director of the Microsoft Security
Response Center, said of the online bazaar in software flaws, which it has
declined to enter. ³With the underground trading of vulnerabilities,
software makers are left playing catch-up to develop updates that will help
protect customers.²

Throughout the 1990s, software makers and bug-hunters battled over the way
researchers disclosed software vulnerabilities. The software vendors argued
that public disclosure gave attackers the blueprints to create exploitative
programs and viruses. Security researchers charged that the vendors wanted
to hide their mistakes, and that making them public allowed companies and
individual computer users to protect their systems.

The two sides reached an uneasy compromise. Security researchers would
inform vendors of vulnerabilities, and as long as the vendor was responsive,
wait for the release of an official patch before publishing code that an
attacker could use. Vendors would give public credit to the researcher. The
détente worked when most researchers were motivated by acclaim and a desire
to improve security.

But ³in the last five years the glory seekers have gone away,² said David
Perry, global education director at Trend Micro. ³The people who are drawn
to it to make a living are not the same people who were drawn to it out of
passion.²

In 2002, iDefense Labs became one of the first companies to pay for software
flaws, offering just a few hundred dollars for a vulnerability. It
administered the program quietly for a few years, then answered early
critics by arguing that it was getting those bugs out into the open and
informing software makers, at the same time as clients, before announcing
them to the general public.

³We give vendors ample time to react, and then we try to responsibly release
them,² said Jim Melnick, the director of threat intelligence at iDefense.

In 2005, TippingPoint, a division of the networking giant 3Com, joined
iDefense in the nascent marketplace with its ³Zero-Day Initiative² program,
which last year bought and sold 82 software vulnerabilities. IDefense said
its freelance researchers discovered 305 holes in commonly used software
during 2006 ‹ up from 180 in 2005 ‹ and paid $1,000 to $10,000 for each,
depending on the severity.

Security researchers warmed to the idea that vulnerabilities were worth real
dollars. In December 2005, a hacker calling himself ³Fearwall² tried to sell
on eBay a program to disrupt computers through Excel, Microsoft¹s
spreadsheet program. Bidding reached a paltry $53 before the auction site
pulled it.

Nevertheless, several Internet attacks in the following months exploited
flaws in Excel, suggesting to security experts that its creator ultimately
found other ways to sell it.

In January 2006, a Moscow-based security company, Kaspersky Labs, found more
evidence of an emerging marketplace for software bugs. Russian hacking
gangs, it disclosed at the time, had sold a ³zero-day² program aimed at the
Microsoft graphics file format, Windows Metafile or WMF. The price: $4,000.

The program was widely used that month and allowed criminals to plant
spyware and other malicious programs on the computers of tens of thousands
of unsuspecting Internet users. Microsoft rushed out a patch.

It had to distribute another patch in September, to counter one more
malicious program, which involved a flaw in the vector graphics engine of
Internet Explorer, that enabled further cyber mischief.

Marc Maiffret, co-founder of eEye Digital Security, a computer security
company, said prices in the evolving black market quickly proved higher than
what legitimate companies would pay. ³You will always make more from bad
guys than from a company like 3Com,² he said.

Even ethical researchers feel that companies like iDefense and TippingPoint
do not adequately compensate for the time and effort needed to discover
flaws in complex, relatively secure software.

And some hackers have little ethical compunction about who buys their
research, or what they use it for. In a phone interview last week arranged
by an intermediary in the security field, a hacker calling himself
³Segfault,² who said he was a college-age student in New York City, led a
reporter on an online tour of a public Web site, ryan1918.com, where one
forum is provocatively titled ³Buy-Sell-Trade-0day.²

Segfault, who said he did not want to reveal his name because he engages in
potentially illegal activity, said the black market for zero-days ³just
exploded² last year after the damaging Windows Metafile attack.

He claims he earned $20,000 last year from selling his own code ‹ mostly on
private chat channels, not public forums like Ryan1918 ‹ making enough to
pay his tuition.

Although he conceded that Microsoft had made significant strides with
Vista¹s security, he said underground hacker circles now had a powerful
financial incentive to find its weak links.

³Vista is going to get destroyed,² he said.

That may be an exaggeration. Microsoft has taken precautions such as
preventing unauthorized programs from running at the most central part of
the system, called the kernel, and creating an extra level of protection
between the operating system and the browser.

Microsoft appears to wish the open market for flaws in their products would
simply disappear. ³Our practice is to explicitly acknowledge and thank
researchers when they find an issue in our software,² said Mike Reavey,
operations manager of the company¹s security response center. ³While that¹s
not a monetary reward, we think there is value in it.²

But independent security analysts say those days are over. Raimund Genes,
the Trend Micro researcher who found the Vista bug for sale on a Romanian
Web site, said, ³The driving force behind all this now is cash.²