New Zero Day Tracker Web site lists unpatched vulnerabilities in an effort to aid computer users and pressure vendors.
How confident are you that your computer is safe from an online attack?
Chances are you rely on vendors like Microsoft and Apple to let you know when a security update is ready to be installed. (Google updates systems automatically.)
But until a patch is released, that hole--known as a zero-day vulnerability--in effect makes your computer a sitting duck for anyone who writes an exploit for it and bothers to distribute it via e-mails and drive-by downloads on Web sites.
EEye Digital Security launched a Web site yesterday that lists current zero-day vulnerabilities and offers an archive on ones that have been patched. The Zero Day Tracker compiles information on publicly disclosed security holes and provides details on them including what software they affect, how severe they are, the potential impact and suggestions for workarounds and other protection techniques.
Marc Maiffret, co-founder and chief technology officer of eEye, describes the free site as a "one-stop shop" for zero-day information.
"For the longest time the only company that would notify you about zero-days was Microsoft, and recently Adobe has started doing that," he said. "But there are still many other companies that have zero-day vulnerabilities that go unreported."
The most widely used database of software vulnerabilities is the National Vulnerability Database sponsored by the Department of Homeland Security's National Cyber Security Division/US-CERT and run by the National Institute of Standards and Technology. There is also the Open Source Vulnerability Database, the US-CERT Vulnerability Notes Database and one run by SecurityFocus. But you have to do some digging on the sites to find the vulnerabilities that are unpatched.
Zero Day Tracker lists the outstanding unpatched holes with the most recent at the top. There are 21 current zero-days, all of them from 2010 except for one from 2006 and one from 2005. The oldest extant unpatched hole was first disclosed in November 2005 and affects Windows 2000. Patched zero-days are archived by year and date back to 2005.
"Microsoft, as some might expect, has the largest amount of unpatched zero day vulnerabilities in 2010," Maiffret said. Microsoft also dominates previous years too, not surprisingly, with increasing numbers for Adobe Systems as the years progress and only a few for Apple among them.
Those statistics are cursory and likely to change as eEye works to populate the archives.
Meanwhile, asked to comment on the dearth of Apple listings, Maiffret said that reflects on Apple's market being much smaller than Windows and does not mean that Macintosh software is more secure.
"There are significantly fewer zero-day vulnerabilities for Apple compared to Microsoft and Microsoft-related applications, but it's definitely not about Mac not having vulnerabilities," he said. Attackers prefer to spend their time and energy targeting the 90 or so percent of computers on the Internet running Windows, he added. (For more on the Mac-PC comparison, see "In their words: Experts weigh in on Mac vs. PC security.")
Recently, Adobe rushed out a patch for a zero-day vulnerability in Flash Player, and Microsoft released an emergency patch for one that exploited a Windows hole to spread the Stuxnet worm, which targets industrial control and critical infrastructure systems. Stuxnet exploited three other Windows vulnerabilities, one of which Microsoft patched last week and two others that are pending.
The Zero Day Tracker site also will include information on unpatched mobile software, which is a growing field. "One of the last iPhone jailbreak hacks out there was actually leveraging a vulnerability within PDF (portable document format) processing on the iPhone," Maiffret said. "That's an example of a zero-day vulnerability on the mobile platform."
In addition to offering a handy resource for people looking for zero-day information, Maiffret hopes that publicizing vulnerabilities on the Zero Day Tracker site will motivate vendors to patch them more quickly. "We want to put pressure on software vendors," he said.
The company is gathering its information from vendors, security e-mail lists, and by monitoring underground and overseas forums where malicious hackers brag about finding or exploiting holes in popular programs. "One (tip) we got was based on conversations on a Chinese message board," Maiffret said.
Often, when announcing a security hole vendors will attempt to assuage customer fears by announcing that attacks targeting the vulnerability have not yet been seen in the wild. But it's usually only a matter of time before an exploit surfaces, particularly if the software is something popular like Windows, Adobe Reader or Internet Explorer, according to Maiffret. "Often it's within the same day," he said.
For instance, Microsoft on Friday warned of a serious hole in its ASP.NET framework used to create Web sites and said it was not aware of any attacks using it. On Monday, the company updated its security advisory on the vulnerability to say that it was aware of "limited, active attacks" using the hole.
Exploits can go undetected for months, or even longer. For example, it's unclear how long the Operation Aurora attack that targeted Google and dozens of other companies via an unknown hole in Internet Explorer was going on. Google disclosed it in January 2010 and said it uncovered it the previous month. But one analysis said it was first tested in the wild five months before then, although it might not have been targeting the same companies at that time. Several days after Google announced the attacks, Microsoft confirmed the IE hole and a week later patched it.
"The vulnerability was being used before the industry knew about it," Maiffret said. "There are a huge number of attacks we don't know about and we typically learn about accidentally."