Security Incidents mailing list archives
Re: how often do 0-days REALLY happen?
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 8 Jan 2002 17:43:21 -0700 (MST)
On Tue, 8 Jan 2002, leon wrote:
I have been reading this list for a couple of years now and I just got done reading hacker's challenge. Great book (hi to everyone who contributed and reads this list, I know David D is one of them). The book is quite unique in how it goes about presenting itself. Basically it is 20 challenges (here is what happened, here are the logs, and here are some questions). At the end of the book are the solutions (how a security professional figured out xy and most importantly z).
I'm up to about chapter 9. Very interesting book, and probably of interest to the readers of this list.
months. So I ask upon you incidents list (ye who have SO MUCH more experience then I) do systems being compromised by zero day exploits really happen (I am sure they happen but I am really curious as to the frequency and how a professional goes about dealing with a never seen before exploit.)
As you stated, the vast majority of attacks out there are for older vulnerabilities. I can give a few anecdotal examples of 0-day. (In most cases, it's an unknown exploit, not an unknown vulnerability.) - The snmpXdmid exploit. Search the Incidents archives for "Carko". Someone found a binary exploit for the snmpXdmid Solaris hole on a compromised machine. We analyzed the binary. As part of the investigative work, I found evidence for at least 4, and possibly 5, unpublished snmpXdmid exploits in the wild. Unpublished means they didn't appear on the usual mailing lists, no on public websites. - The .htr worm. The guys at eEye were given a copy of a worm that exploited the .htr IIS hole. This was supposedly before the hole was known publically (true 0-day?) and is supposed to have been a precursor to CodeRed (shows some similarities.) Don't know why the worm wasn't more "successful". - There have been several "leaked" exploits, which have been discussed here and on Bugtraq. hese include a TESO telnet exploit, and one or two SSH CRC32 exploits. And of course, before Bugtraq was prevelant, all exploits that made it around were "private", stolen, etc... Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- how often do 0-days REALLY happen? leon (Jan 08)
- Re: how often do 0-days REALLY happen? Greg Francis (Jan 08)
- Re: how often do 0-days REALLY happen? Ryan Russell (Jan 08)
- Re: how often do 0-days REALLY happen? Michal Zalewski (Jan 08)
- Re: how often do 0-days REALLY happen? Gamble (Jan 08)
- RE: how often do 0-days REALLY happen? Ofir Arkin (Jan 09)
- <Possible follow-ups>
- RE: how often do 0-days REALLY happen? leon (Jan 08)
- Re: how often do 0-days REALLY happen? Randy Taylor (Jan 09)