Anatomy of an 0-day

Cody Pierce, a colleague of mine at TippingPoint’s DVLabs, was recently profiled in an article by Dennis Fisher over at SearchSecurity.com. The article basically describes how Pierce went about discovering and disclosing an 0-day vulnerability in the Internet Help Control ActiveX component last April, which resulted in a patch from Microsoft last August.

To do this, he built a custom fuzzer to test large numbers of ActiveX controls and separate the wheat from the chaff. He wrote the fuzzer using the Python and Ruby programming languages and began looking for remotely exploitable vulnerabilities that posed a serious threat to Internet users.

“There are 4,000 ActiveX controls on a typical XP machine and I looked for the ones that could be loaded in Internet Explorer,” Pierce said. “Then I looked for the ones with problems and then the ones that were critical. I wanted to see what was exploitable and what was just a denial of service.”

The article then goes on to hint at a paradigm shift in vulnerability research that targets web and hosted software, noting that as more and more software packages are provided solely on the web or by ASPs it’s increasingly difficult for 3rd party researchers to target those pieces of software. Due to the fact that such software generally isn’t available outside of the ASP or company hosting the web application for testing in a controlled environment, targeting such applications for vulnerability research can be construed as an active and malicious attack.

Kudos to Pierce and TippingPoint for the excellent press coverage!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: