This is all very true and, to be candid, I’m not in the least bit surprised by these findings.
To be clear, the way it works today for the legitimate world is that someone (ethical hackers, researchers, Microsoft labs themselves) studies the code and finds vulnerabilities. They then report these issues publicly in the hope that this will force companies to fix those issues quickly. While some companies do that, others don’t, and due to two main reasons.
The first being economical – it costs money to dedicate a task force to fixing bugs. The second lies in the fact that a vulnerability per se is not necessarily an issue, that is, until someone demonstrates that an exploit is possible.
In fact, what we should be discussing here is exploits rather than vulnerabilities. An error in the code doesn’t necessarily lay it bare and exposed to attacks ~ at times, exploits aren’t even possible ~ therefore, fixing that vulnerability is a moot point and a potential waste of money. This is why the vast majority of companies adopt a “wait and see” attitude, to ascertain if the exploit is actually possible and how hard it is.
My perplexity with this article is not whether the issue is revealed to the public or it isn’t. I’m more focused on the fact that professional hackers are already doing all this research on their own. Yes, it’s true. They’re already fully aware of the vulnerabilities, are most likely exploiting them, and aren’t telling anyone because the longer their findings stay secret, the more money they can make. Hence, shouting out loud when we find something doesn’t give an extra edge to these hackers because, very frankly, it’s old news for them.
That said, it does give us ammunition to go back and demand a fix from the manufacturer, who might otherwise never even attempt to fix the issue, even when it’s been made known to the public.
I was able to share my views with SC Magazine in an article posted online yesterday evening. If you have a few minutes, I invite you to read it here:- http://www.scmagazine.com/zero-day-attacks-last-much-longer-than-most-would-believe/article/264104/
Until our next blog post, have a good one.