[OSVDB-discuss] New Classification: Discovered In the Wild

security curmudgeon jericho at attrition.org
Tue Feb 12 02:27:02 CST 2008 

http://osvdb.org/blog/?p=227

New Classification: Discovered In the Wild
February 12th, 2008

In a recent discussion on the security metrics mailing list, Pete 
Lindstrom put forth a rough formula to throw out a number of 
vulnerabilities that have been discovered versus undiscovered. One of the 
data points that he cited lead me to his page on undercover 
vulnerabilities, his term for 0-day in a certain context. Since the term 
0-day has been perverted to mean many things, he clearly defines his term 
as:

  Undercover Vulnerability: A vulnerability that was generally unknown 
  (e.g. not published on any lists, not discussed by above ground security 
  folks) until it was actively exploited in the wild. The vulnerability 
  was discovered through evidence of tampering or other means, not through 
  the usual bugfinding ritual.

In my reply challenging some of his numbers, I specifically said that if 
we consider that your number 20 is off by at least half, and I would 
personally guess its more like a small fraction, how does this change your 
numbers? Pete took this in stride and offered to buy me a case of beer if 
I could find half a dozen that he didnt have. Not one to pass up free 
booze and vulnerability research (yes, im weird) I spent several hours 
Friday doing just that. I ended up with 24 vulnerabilities that seemed to 
match his definition, roughly half of them in his time frame (in the last 
two years).

Petes page got me wondering just how many vulnerabilities classified as 
undercover by his definition. Further, I thought about another question he 
asked on his page:

  I am open to suggestions on an easy way to do this with TypePad 
  (TypeLists, maybe?). Else, Ill just periodically update as new vulns 
  become available.

I cornered our lead developer Dave and said "make it so" while I mailed 
Pete asking if OSVDB could help in this effort. As a result, we now have a 
new classification that we call Discovered In the Wild that means the same 
thing as Pete's undercover vulnerability. I have updated the 20 
vulnerabilities listed on his page and added the flag to the ones I 
researched. This now shows 43 results which is good progress.

Not content with that, I asked a fellow geek who has a world more 
experience with IDS, NOC management and various devices that would be 
prone to catching such vulnerabilities how many do you think were found 
this way last year, to which she replied "at least 50?". So vulnerability 
researchers and OSVDB contributors, its up to you to help out! We're 
looking for more instances of vulnerabilities being discovered "in the 
wild", being exploited and subsequently disclosed (to mail list, vendor, 
whatever). Please cite your source as best as possible.

To see what we have so far:

   1. http://osvdb.org/search/advsearch
   2. Under Vulnerability Classification and Disclosure
   3. Check Discovered in the Wild
   4. Search

Thanks to Pete Lindstrom and the Security Metrics mailing list for the 
input and great idea for a new classification!

More information about the Osvdb-discuss mailing list