Re: how often do 0-days REALLY happen?

From: Gamble (a629wat_private)
Date: Tue Jan 08 2002 - 19:51:58 PST

  • Next message: Bugtraq Mailing Lists: "Re: Attacking every host in the path?"

    I really think that when you consider how often 0-day exploits appear that
    you also have to take into consideration a number of other points.  First,
    it is likely that most currently known exploits were at one time or
    another used by black hats before they became public knowledge.
    
    Knowing this, you also have to realize that the number of hackers using
    the 0-day is rather small compared to size of the black hat
    community.  Also, 0-day exploits are rarely scanned for, which makes it
    more difficult to detect that an exploit for xyz exists.  One also has to
    assume that if a hacker has his hands on a brand new hand written (or
    traded) exploit, that he also has the skill set necessary to use it
    with as little chance of detection as possible.  From what I have seen,
    people rarly use 0-day's unless every other avenue of compromise is
    unsuccessful.
    
    But speaking as a person who has seen exploits pop up in code and hearing
    about discoveries made by friends, I can honestly say that they are out
    there. From an admin's point of view, it can be difficult to tell if an
    unknown exploit was used or not.  Once you realize that a compromised box
    was fully patched, do you just assume that it was a 0-day or a more common
    point of entry, such as a bad passwords, or a compromised use account on a
    trusted machine?
    
    
    just my 2 cents,
    
    -- Jamie
    
    
    > Hi everyone,
    > 
    > I have been reading this list for a couple of years now and I just
    > got done reading hacker's challenge.  Great book (hi to everyone who
    > contributed and reads this list, I know David D is one of them).  The
    > book is quite unique in how it goes about presenting itself. 
    > Basically it is 20 challenges (here is what happened, here are the
    > logs, and here are some questions).  At the end of the book are the
    > solutions (how a security professional figured out xy and most
    > importantly z).  The reason I wrote the subject heading as I did is
    > because throughout the book they show case after case of remote
    > exploit all for vulns that are months old.  On this list and the sec
    > basics I constantly (relative I know) hear people talking about being
    > compromised by vulns that patches have been available for, for
    > months.  So I ask upon you incidents list (ye who have SO MUCH more
    > experience then I) do systems being compromised by zero day exploits
    > really happen (I am sure they happen but I am really curious as to
    > the frequency and how a professional goes about dealing with a never
    > seen before exploit.)  Just figured I would throw that out there and
    > see how everyone responds because I was thinking about it on the walk
    > home (hey, shoot me, it is cold in nyc, gotta do something to keep
    > from freezing). 
    > 
    > Cheers & TIA,
    > 
    > Leon
    > 
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
    > 
    > iQA/AwUBPDuGj9qAgf0xoaEuEQI/WgCfQQNfGWqTRDZefFmT80WhIOTdYPYAoKV8
    > wpaiOoiq6Q55TXu/NctJOWYN
    > =x7uY
    > -----END PGP SIGNATURE-----
    > 
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    > 
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 21:53:47 PST