Zero-day exploits are perhaps the most dangerous type. By
definition they have not been patched and they could literally be out in the
wild wreaking havoc.
There has long been a debate about when to publicly report zero-day exploits
in a responsible manner. Exposing them could end up protecting
more users by alerting them to dangers. But it could also leave more people
vulnerable by informing them of potential attack vectors.
Security firm eEye Research this week launched its Zero Day Tracker as an
effort to help the broader IT community track zero-day vulnerabilities.
Marc Maiffret, founder, CTO and chief hacking officer at eEye, explained to
internetnews.com that the main reason for launching the Zero Day
Tracker is the constant increase in zero-day vulnerabilities.
“This is the time where things just came together for a public release,”
Maiffret said.
As of 1:30 p.m. EST today, the tracker lists some seven active zero-day exploits.
The recently reported flaw in Microsoft Word is at the top of the eEye list.
Maiffret noted that eEye first reports all vulnerabilities to vendors
unless they have seen the vendor has already acknowledged the vulnerability.
To date the eEye effort has had at least one naysayer. A hacker going by the
alias “chinese soup” posted to the popular ‘[Full-Disclosure]’ mailing list
that the effort had its share of FUD (Fear, Uncertainty, Doubt). Noodle
argued that not all of the alleged zero-day exploits were actually
exploitable.
Maiffret shrugged off the criticism.
“We have had one person post
a single e-mail to a mailing list wanting to mix words,” Maiffret said.
“We look forward to any and all feedback from the community to help improve
the zero-day site.”
The increase in zero-day exploits is a phenomenon that has also been tracked
this year by the SANS Institute, which has been warning of the increase in zero-day exploits for most of this year.
In a recent conference call, Rohit Dhamankar, editor of the SANS Top 20 list,
argued that one of the reasons for the rise in zero-day exploits in 2006 has
been the increased use of automated patching mechanisms.