Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, August 28, 2006

Tipping Point to publish flaws of many popular business solutions

A security company that pays hackers for information on software flaws and exploits plans to release a list of 29 unpatched flaws in products sold by a host of big-name vendors, including Microsoft, IBM, Apple Computer and Novell.  The Aug. 28 disclosure from TippingPoint’s ZDI (Zero Day Initiative) flaw bounty program is a significant change to the way the 3Com-owned company handles the disclosure of vulnerability data it buys from external researchers.  Instead of waiting for software makers to issue patches, TippingPoint will announce the flaw purchase in bare-bones advisories at the time the issue is reported to the vendor.  Dave Endler, director of research at TippingPoint, in Austin, Texas, said the list of 29 includes six bugs affecting Microsoft; three affecting Novell; two each for products sold by IBM and Apple; and one each affecting AOL, Adobe and Sun Microsystems.

We’re simply naming the vendor, the date the issue was reported and the severity of the vulnerability,” Endler said in an interview with eWEEK.  In the first year since ZDI started shopping for flaws, Endler said the company has fielded submissions from hundreds of hackers, culminating in 30 published post-patch bulletins. 

Some, like Microsoft, are very diligent about responding, but there are others that take six months or more to get a fix ready.

According to VeriSign’s iDefense, which also buys data on flaws and exploits from external hackers, it has no plans to preannounce its purchases.

Payne suggested that TippingPoint’s move could point malicious hackers in a certain direction and put certain vulnerable applications at risk.  We’ve seen this in the past with the WMF [Windows Metafile] issue and the recent problems with Microsoft Office,” Payne said in an interview with eWEEK.

Earlier in August, iDefense trained its sights on serious holes in Web browsers, offering a new $10,000 prize to any hacker who can find a remotely exploitable code execution hole in Microsoft Internet Explorer or Mozilla’s Firefox.,1895,2008577,00.asp?kc=EWSTEEMNL082906EOAD

Posted on 08/28