When it comes to the poor of state of cyber security, we think one of the important elements that has gotten us to the current situation is the poor state of security journalism. Instead of shining a light on the many bad practices of the security industry, journalist are too often repeat the claims of security companies without doing any due diligence as to their accuracy. From what we have seen with web security companies that is a bad idea, since you not only have companies that will blatantly lie to the public, but you also have a lot of companies who don’t seem to understand the basics of security.
One company that doesn’t seem to understand the basics of security is Wordfence, which a couple weeks ago we found doesn’t understand what a zero-day vulnerability is, leading them to be claiming to have exclusive knowledge of ones, when the vulnerability they were aware of are not in fact zero-day vulnerabilities at all.
Based on how often we see security products and services promoted as protecting against zero-day vulnerabilites or attacks, at least the marketing departments of security companies think that their customers are fairly interested in protection against them.
A zero-day vulnerability refers to a vulnerability that is being exploited before the developer has become aware of the vulnerability. To be able to protect against those when they start getting exploited requires you to be able to protect against any kind of vulnerability, since any type of vulnerability could be a zero-day vulnerability. That would be difficult to pull off, to put it mildly.
As we have found detecting those vulnerabilites in WordPress plugins for our Plugin Vulnerabilities service, quickly detecting them once they are being exploited isn’t necessarily difficult, but it hasn’t been something other companies dealing with WordPress security have not been doing (as can be seen in the fact we have found numerous of those that look to have been in the wild for some time with out other security companies doing anything about them).
What is far easier then actually protecting against or quickly detecting zero-day vulnerabilites is to simply label any vulnerability you have found as a zero-day vulnerability. That is what Wordfence has done, in their cases it doesn’t seem intentional, just their lack of security knowledge once again at work.
The distinction between an actual zero-day vulnerability and any vulnerability that a security company happens to discover is quite important. First, many (maybe most) vulnerabilities are unlikely to be exploited, whereas by definition, a zero-day vulnerability is one that hackers are likely to be exploited, considering they already have been exploiting it. Protecting against a vulnerability that isn’t likely to be exploited is of a lot less value than one that is likely to be exploited. Second, if the security company doesn’t disclose the vulnerability as soon as they discover it and notifies the software’s developer, then they have a chance to fix it before it would be exploited, but again by definition, a zero-day vulnerability is being exploited before they have had a chance to do that. If a fix has been released before the security company discloses it, then those keeping the software up to date will protected if there are an exploit attempts after it is disclosed, while that won’t be the case when a zero-day vulnerability at least when it is first being exploited.
That all brings us to today, where there was an example of bad journalism leading to unfounded claims of zero-day vulnerabilities. Over at Ars Technia an article titled “Security company finds five “zero-day” flaws in EMC management console” was put out. If you read the article there isn’t anything that backs up that these are zero-day vulnerabilites, just that vulnerabilites that were discovered. In looking at the post on the discoverer’s website that is cited in the article, there is no mention of zero-days at all, instead what they state is this:
The Digital Defense, Inc. Vulnerability Research Team (VRT) has identified six previously undisclosed security vulnerabilities found in the Dell EMC VMAX Management Product family.
Ars Technica was not the only news outlet claiming they were zero-day vulnerabilites, ZDNet has an article titled “Multiple zero-day flaws found in EMC storage systems“, which again doesn’t include anything that backs up that these are zero-day vulnerabilites.
So where did the idea that these were zero-day vulnerabilites come from?
The answer seems to be the press release the discoverer put out, entitled “Digital Defense, Inc. Discovers Multiple Zero-Day Vulnerabilities within EMC Unisphere for VMAX“. While zero-day vulnerabilites are mentioned in that, there isn’t any indication in that the vulnerabilites are being exploited or were being exploited before the developer knew of them, which would be required to make them zero-day vulnerabilites and not just vulnerabilites that this security company had discovered.
It really should go without saying that doing journalism based on a company’s press release, which makes a claim that isn’t included in their related post about the issue, isn’t a great idea if you care about getting things right.