As you may know Microsoft has release MS12-063 out-of-band security bulletin, how fix 5 security vulnerabilities including CVE-2012-4969, the Internet Explorer 0day I discovered exploited in the wild by the Nitro gang last weekend.
After analyzing MS12-063 and all the vulnerabilities fixed in this bulletin, I was surprised to see that CVE-2012-4969 was credited to an anonymous researcher, working with TippingPoint’s Zero Day Initiative.
Microsoft thanks the following for working with us to help protect customers: An anonymous researcher, working with TippingPoint’s Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969)
So, to be clear, this means that this vulnerability was discovered by another researcher, previously to my discovery, reported to ZDI, which then reported it to Microsoft. Hum… Microsoft didn’t yet provide the ZDI reference and ZDI also don’t has communicate around it.
Based on NIST NVD, CVE-2012-4969, has a CVSS base score of 9.3, cause “AccessComplexity” score is set to “Medium“. But really I think that the “AccessComplexity” should be set to “Low” how result then to a CVSS base score of 10.
If you take a look at all Microsoft ZDI upcoming advisories, all related ZDI-CAN, reported by an anonymous researcher, have a maximum CVSS base score of 7.5.
Here under all ZDI CAN’s, reported by an anonymous researcher:
- ZDI-CAN-1586 was reported the 2012-07-24, with CVSS of 7.5
- ZDI-CAN-1574 was reported the 2012-07-24, with CVSS of 7.5
- ZDI-CAN-1373 was reported the 2012-07-24, with CVSS of 7.5
- ZDI-CAN-1526 was reported the 2012-03-14, with CVSS of 7.5
- ZDI-CAN-1525 was reported the 2012-03-14, with CVSS of 7.5
- ZDI-CAN-1524 was reported the 2012-03-14, with CVSS of 7.5
- ZDI-CAN-1523 was reported the 2012-03-14, with CVSS of 7.5
- ZDI-CAN-1520 was reported the 2012-03-14, with CVSS of 7.5
- ZDI-CAN-1402 was reported the 2011-11-29, with CVSS of 7.5
- ZDI-CAN-1281 was reported the 2011-05-25, with CVSS of 7.5
None of these ZDI CAN vulnerabilities have a CVSS base score of 9.3 or 10. But maybe ZDI doesn’t apply good practices to CVSS scoring ?
If you take a look at the MS12-063 CVE’s assignment, reported by anonymous researchers working with ZDI:
- CVE-2012-4969, the one, was assigned the 2012-09-18
- CVE-2012-2557 was assigned the 2012-05-09
- CVE-2012-1529 was assigned the 2012-03-08
If CVE-2012-4969 was reported to ZDI, by an anonymous researcher, the vulnerability was known by Microsoft since minimum 1 month, a maximum of 462 days, an average time of 168,4 days…
You may know that ZDI (HP related company), is using the reported vulnerabilities, to create IPS filters in order to protect the HP Digital Vaccine customers. So despite the vulnerability affected vendor has not yet release a patch, HP Digital Vaccine customers are “protected” against the potential threat. So, all the potential 0days, reported to ZDI, are modeled as filters.
Our security research team develops new Digital Vaccine® protection filters that address the latest vulnerabilities and are constantly distributed to our customers’ intrusion prevention systems.
You may also know, that ZDI is a part of the zero day exploit market, and that the principal objective of this market is to do money by selling 0days to interested persons or organizations.
Now, just jump back at the end of August, you remember the Java 0day how was also exploited in the wild by the Nitro gang ? Take a look at the Oracle Security Alert for CVE-2012-4681, how is credited ? James Forshaw (tyranid) via TippingPoint. Hum… One more time TippingPoint is present, coincidence ?
An interesting Guardian newspaper article, regarding the Java 0day, was pointing the possible fact that:
Although little is known about the group, it is thought that they did not discover the flaw themselves but may have bought it from a commercial group that specialises in selling details about “zero-day” flaws in software that can be used to penetrate commercial or government systems, even when they have the most up-to-date cybersecurity in place.
This begin to make to much coincidences, I would like to know if:
- The Microsoft credit is an error ?
- Has ZDI sold these 0days ?
- Have HP Digital Vaccine filters been reversed ?
- Is ZDI victim of a leak ?
- Is ZDI victim of an internal threat? Lot of ZDI employes have left the company recently.
Updates
09/22:
Robert Graham @ErrataRob has write an interesting article “0-day leaks from IPS” regarding my question “Have HP Digital Vaccine filters been reversed ?“.
Another option: As ZDI is not the only vulnerability broker, both researches might have reported them to another vulnerability broker who either did not want to pursue it or who paid less. That other vulnerability broker should not have used it for anything, but maybe he is victim of a leak, or dishonest?