I was pleased with the debate generated from my September 1st blog posting "Why all the hype about 0day". The Slashdot conversation was an active one and there were several solid points made regarding the risks of 0day vulnerabilities vs. known vulnerabilities.

In that post, my hope was not to suggest that 0day attacks do not remain a serious security threat, but rather to hilight the damage that can come from known vulnerabilities when they are not patched. A strong distinction that exists between the two cases is that 0day attacks tend to impact the vulnerable organization directly, while known vulnerabilities tend to be leveraged by email spammers, phishers, etc, to identify 'low hanging fruit' that can then be used to harm others.

Over the weekend a new vulnerability emerged which allows me to comment on the other side of the coin - new vulnerabilities for which a patch is not available - the so-called 0day attacks. On September 2, 2006 a vulnerability emerged in TikiWiki, a popular open source wiki project, that allows for file upload and PHP code execution. This vulnerability would pose a similar threat to the known vulnerability in MediaWiki which I spoke about in my last blog and therefore provides a strong comparison. This one has the potential to cause some real problems for several reasons. First, TikiWiki is a very popular wiki used by many organizations. According to SourceForge, the 1.9.4 and 1.9.3 branches alone have had nearly 24,000 downloads. That figure doesn't take into consideration earlier versions which may also be vulnerable. Second, the most current version of TikiWiki is vulnerable and while a workaround has been posted; a patch is not yet available. Third, functional exploit code is available. Finally and most importantly, according to the TikiWiki project, Russian hackers are presently exploiting this vulnerability in order to install spam and/or DoS bots. The Tikiwiki project site itself was unavailable over the weekend due to this vulnerability.

Interestingly, the exploit link at SecurityFocus was serving up a 404 error this morning. It's not clear if the exploit was intentionally taken down or if it was simply an error, but it doesn't really matter as the exploit code is readily available elsewhere.

What does all of this mean? It means that 0day attacks are serious issues that can't be ignored. One of the Slashdot comments on my last bog entry stated that "if you're on top of security, staying in touch with the latest vulnerabilities has some real value". I agree completely. For those organizations willing to provide sys admins with adequate resources to patch systems in a timely fashion, 0day attacks are and will remain a serious concern. What I fear is that such organizations are the exception as opposed to the rule. Will this current TikiWiki vulnerability go from being today's 0day to tomorrow's "low hanging fruit". I suspect so, but time will tell.

- michael