A Lively Market, Legal and Not, for Software Bugs
Microsoft says its new operating system, Windows Vista, is the most secure in the company’s history. Now the bounty hunters will test just how secure it is.
When its predecessor, Windows XP, was released five years ago, software bugs were typically hunted by hackers for fame and glory, not financial reward. But now software vulnerabilities — as with stolen credit-card numbers and spammable e-mail addresses — carry real financial value. They are commonly bought, sold and traded online, both by legitimate security companies, which say they are providing a service, and by nefarious hackers and thieves.
Vista, which will be installed on millions of new PCs starting today, provides the latest target.
This month, iDefense Labs, a subsidiary of the technology company VeriSign, said it was offering $8,000 for the first six researchers to find holes in Vista, and $4,000 more for the so-called exploit, the program needed to take advantage of the weakness.
IDefense sells such information to corporations and government agencies, which have already begun using Vista, so they can protect their own systems.
Companies like Microsoft do not endorse such bounty programs, but they have even bigger problems: the willingness of Internet criminals to spend large sums for early knowledge of software flaws that could provide an opening for identity-theft schemes and spam attacks.
The Japanese security firm Trend Micro said in December that it had found a Vista flaw for sale on a Romanian Web forum for $50,000. Security experts say that the price is plausible, and that they regularly see hackers on public bulletin boards or private online chat rooms trying to sell the holes they have discovered, and the coding to exploit them.
Especially prized are so-called zero-day exploits, bits of disruption coding that spread immediately because there is no known defense.
Software vendors have traditionally asked security researchers to alert them first when they find bugs in their software, so that they could issue a fix, or patch, and protect the general public. But now researchers contend that their time and effort are worth much more.
“To find a vulnerability, you have to do a lot of hard work,” said Evgeny Legerov, founder of a small security firm, Gleg Ltd., in Moscow. “If you follow what they call responsible disclosure, in most cases all you receive is an ordinary thank you or sometimes nothing at all.”
Gleg sells vulnerability research to a dozen corporate customers around the world, with fees starting at $10,000 for periodic updates. Mr. Legerov says he regularly turns down the criminals who send e-mail messages offering big money for bugs they can use to spread malicious programs like spyware.
Misusing such information to attack computers or to aid others in such attacks is illegal, but there appears to be nothing illegal about the act of discovering and selling vulnerabilities. Prices for such software bugs range from a couple of hundred dollars to tens of thousands.
Microsoft is not the only target, of course. Legitimate security researchers and underground hackers look for weaknesses in all commonly used software, including Oracle databases and Apple’s Macintosh operating system. The more popular a program, the higher the price for an attacking code.
The sales of Vista faults will therefore continue to trail the sale of flaws in more widely used programs, even Windows XP, for the foreseeable future.
“Of course it concerns us,” Mark Miller, director of the Microsoft Security Response Center, said of the online bazaar in software flaws, which it has declined to enter. “With the underground trading of vulnerabilities, software makers are left playing catch-up to develop updates that will help protect customers.”
Throughout the 1990s, software makers and bug-hunters battled over the way researchers disclosed software vulnerabilities. The software vendors argued that public disclosure gave attackers the blueprints to create exploitative programs and viruses. Security researchers charged that the vendors wanted to hide their mistakes, and that making them public allowed companies and individual computer users to protect their systems.
The two sides reached an uneasy compromise. Security researchers would inform vendors of vulnerabilities, and as long as the vendor was responsive, wait for the release of an official patch before publishing code that an attacker could use. Vendors would give public credit to the researcher. The détente worked when most researchers were motivated by acclaim and a desire to improve security.
But “in the last five years the glory seekers have gone away,” said David Perry, global education director at Trend Micro. “The people who are drawn to it to make a living are not the same people who were drawn to it out of passion.”
In 2002, iDefense Labs became one of the first companies to pay for software flaws, offering just a few hundred dollars for a vulnerability. It administered the program quietly for a few years, then answered early critics by arguing that it was getting those bugs out into the open and informing software makers, at the same time as clients, before announcing them to the general public.
“We give vendors ample time to react, and then we try to responsibly release them,” said Jim Melnick, the director of threat intelligence at iDefense.
In 2005, TippingPoint, a division of the networking giant 3Com, joined iDefense in the nascent marketplace with its “Zero-Day Initiative” program, which last year bought and sold 82 software vulnerabilities. IDefense said its freelance researchers discovered 305 holes in commonly used software during 2006 — up from 180 in 2005 — and paid $1,000 to $10,000 for each, depending on the severity.
Security researchers warmed to the idea that vulnerabilities were worth real dollars. In December 2005, a hacker calling himself “Fearwall” tried to sell on eBay a program to disrupt computers through Excel, Microsoft’s spreadsheet program. Bidding reached a paltry $53 before the auction site pulled it.
Nevertheless, several Internet attacks in the following months exploited flaws in Excel, suggesting to security experts that its creator ultimately found other ways to sell it.
In January 2006, a Moscow-based security company, Kaspersky Labs, found more evidence of an emerging marketplace for software bugs. Russian hacking gangs, it disclosed at the time, had sold a “zero-day” program aimed at the Microsoft graphics file format, Windows Metafile or WMF. The price: $4,000.
The program was widely used that month and allowed criminals to plant spyware and other malicious programs on the computers of tens of thousands of unsuspecting Internet users. Microsoft rushed out a patch.
It had to distribute another patch in September, to counter one more malicious program, which involved a flaw in the vector graphics engine of Internet Explorer, that enabled further cyber mischief.
Marc Maiffret, co-founder of eEye Digital Security, a computer security company, said prices in the evolving black market quickly proved higher than what legitimate companies would pay. “You will always make more from bad guys than from a company like 3Com,” he said.
Even ethical researchers feel that companies like iDefense and TippingPoint do not adequately compensate for the time and effort needed to discover flaws in complex, relatively secure software.
And some hackers have little ethical compunction about who buys their research, or what they use it for. In a phone interview last week arranged by an intermediary in the security field, a hacker calling himself “Segfault,” who said he was a college-age student in New York City, led a reporter on an online tour of a public Web site, ryan1918.com, where one forum is provocatively titled “Buy-Sell-Trade-0day.”
Segfault, who said he did not want to reveal his name because he engages in potentially illegal activity, said the black market for zero-days “just exploded” last year after the damaging Windows Metafile attack.
He claims he earned $20,000 last year from selling his own code — mostly on private chat channels, not public forums like Ryan1918 — making enough to pay his tuition.
Although he conceded that Microsoft had made significant strides with Vista’s security, he said underground hacker circles now had a powerful financial incentive to find its weak links.
“Vista is going to get destroyed,” he said.
That may be an exaggeration. Microsoft has taken precautions such as preventing unauthorized programs from running at the most central part of the system, called the kernel, and creating an extra level of protection between the operating system and the browser.
Microsoft appears to wish the open market for flaws in their products would simply disappear. “Our practice is to explicitly acknowledge and thank researchers when they find an issue in our software,” said Mike Reavey, operations manager of the company’s security response center. “While that’s not a monetary reward, we think there is value in it.”
But independent security analysts say those days are over. Raimund Genes, the Trend Micro researcher who found the Vista bug for sale on a Romanian Web site, said, “The driving force behind all this now is cash.”