The Sys-Security Group

The release of the Core security advisory regarding a remote kernel buffer overflow with OpenBSD’s IPv6 implementation is an indicator of what is expected to come next regarding the security and stability of IPv6 stack implementations.

In my opinion, when (and if) IPv6 will become more widely adopted and exposed we will experience an increase with this type of advisories and consequently with the number of incidents involving stack implementations of IPv6.

As more security researches will have the opportunity to examine and test IPv6 stack implementations questioning their strengths and weaknesses we should expect a number of these advisories with regards to the stability and security of these implementations.

It would take some time until the majority of theses issues will be exposed to the public and fixed, like with any other technology, which is new.

It sure was a matter of time until a major newspaper (Brad Stone for the New York Times) would pick up on the subject of trading vulnerabilities (article). Specifically selling vulnerabilities to companies, which provide some kind of a service around it.

On a recent blog post at Matasano (iDefense Underbids on Vista Vulnerabilities) I commented that: “No one guaranties the so-called 0-day is really is 0-day. The seller could have used it before, or sold it before, and still the knowledge of the existence of this vulnerability/exploit is not widely known”.

Theoretically speaking one can sell a vulnerability to multiple parties, and/or abuse it for other needs, without the buyer knowing that.

The market place for vulnerabilities does bring up interesting legal, and ethical questions regarding the actions of those companies who are buying these vulnerabilities and the source(s) they are buying these from.