Public information about vulnerabilities makes threats appear faster

Jul 29, 2008 08:14 GMT  ·  By

It would seem that people who are up to no good and want to get your machine infected, take less time to do so than in the past. By using information available to the general public, they are able to prepare an attack in a shorter time limit. Generally speaking, it takes about 24 hours from the moment a vulnerability is disclosed until an attack is already prepared and ready to launch. The thing is that most users find out about that particular vulnerability a lot later and consequently leave themselves exposed to infection.

In the past hackers and attackers of all sorts would spend quite a considerable amount of time looking for security vulnerabilities that they could exploit. In recent trends, this research work has been replaced by programs that generate automated attacks based on what information has been released about a security issue.

"The bad guys are not the ones actively finding vulnerabilities - they've shifted their business to standing on the shoulders of the security research community. They don't have to do the hard work anymore. Their job is packaging what's been provided to them," says Kris Lamb, operations manager for IBM's X-Force as cited by MSNBC.

Since the security experts do all the research and then by disclosing the findings basically make the attacker's work that much easier, a debate has been launched on how much information should be shared with the general public and how much should be kept private. If a researcher releases technical details as well as "proof-of-concept" exploit code, then a wrongdoer has all the necessary information to launch an attack, especially if said researcher has done so before a security fix could be issued by the software manufacturer.

Just to put things into perspective, in 94% of the cases a hacking exploit was ready in less than 24 hours after disclosing a vulnerability within various web browsers. Compared to 2007, one can notice a 24% increase.