30 days of 0-days, binary analysis and PoCs

An independent group of security researchers that goes by the name of Abysssec Security Team has announced some two weeks ago its intention of making September a month of disclosure.

They plan to unveil 0-day bugs, web application vulnerabilities, detailed binary analysis and PoCs for patched vulnerabilities and unpatched flaws that address some old and some new vulnerabilities affecting popular software.

Starting with the release of a Cpanel PHP restriction bypass vulnerability 0-day and an Adobe Acrobat Reader and Flash Player “newclass” invalid pointer binary analysis, this initiative will likely attract a lot of attention from affected vendors and especially potential attackers.

The release of exploit code just hours after PoC code is published is not that uncommon. The publication of flaws that will include a PoC will definitely spur vendors into releasing a patch sooner that they would have liked to, but this could lead to incomplete and shoddy fixes.

As always, those that stand to lose the most with these revelations are the common, low-level users. I know the issue of vulnerability disclosure is a rather tough one to solve to everyone’s satisfaction, but does it seem fair that we now have to fear the actions of the “good guys”, as well as the “bad”?