ZERT: Zero-Day Emergency Response Team

Dave G. | September 22nd, 2006 | Filed Under: Uncategorized

Ryan Naraine at eWeek writes about ZERT. They are a bunch of really talented folks working on handling the dreaded race condition between the a zero-day disclosure and a vendor patch. I think we knew that third party patching wasn’t going to disappear.

From the ZERT Website:

ZERT is a group of engineers with extensive experience in reverse engineering software, firmware and hardware coupled with liaisons from industry, community and incident response groups. While ZERT works with several Internet security operations and has liasons to anti-virus and network operatiions communities, ZERT is not affiliated with a particular vendor.

ZERT members work together as a team to release a non-vendor patch when a so-called “0day” (zero-day) exploit appears in the open which poses a serious risk to the public, to the infrastructure of the Internet or both. The purpose of ZERT is not to “crack” products, but rather to “uncrack” them by averting security vulnerabilities in them before they can be widely exploited.

It is always a good idea to wait for a vendor-supplied patch and apply it as soon as possible, but there will be times when an ad-hoc group such as ours can release a working patch before a vendor can release their solution.

The team line up is impressive.

Members:

  • Dennis Elser
  • Elad Raz
  • Florian Weimer
  • Gil Dabah
  • Halvar Flake
  • Ilfak Guilfanov
  • John Cartwright
  • Katrin Shechtman
  • Matthew Murphy
  • Maxim Vainstein
  • Michael Hale Ligh
  • Michael Lynn
  • Morgan Schweern

Liasons/Administration:

  • Nick FitzGerald (Anti Virus industry)
  • Paul Vixie (Network Operations community)
  • Gadi Evron (Internet Security Operations community/Operations manager)
  • Hank Nussbacher (Internet Security Operations community)
  • Aryeh Goretsky (Coordination, administration and logistics)

Viewing 1 Comment

    • ^
    • v
    shameless but hopefully still acceptable plug. The ability to create and deploy 3rd party 'patches' using freely available software has been around for quite a while here http://force.coresecurity.com
    (a free, still in beta, highly granular and configurable HIPS/HFW tool with an Apache2/CreativeCommons license)
    Basically, you can define permissions for applications and you share those permissions on an XML file posted on a website, other users can review and download those settings and use whatever permissions you've set to avoid exploitation of vulnerable programs on their systems. For example, denying execution of vgx.dll, dcactle.ocx, etc. is as simple as setting -RX permissions to the file using a GUI)

    Similar things exist for Linux (ie AppArmor) but I dont know if there are any mechanims to share configuration settings among users. Allegedly, this kind of third party solution may not be as important for open source project because fixes come out faster and you can actually find out what was fixed more easily without the need of the highly skilled and generous reverse engineers of the ZERT. Unfortunately some closed-sourced big software vendors tend to think that they are the only ones that can provide effective countermeasures to the bugs they produce in their software. This is, by itself, a demonstration of arrogance and an underlying mentality used to customer lock-in tactics. If third party patches come out faster and more transparently than official fixes the affected users will have more options and some opinions about disclosure of bugs and their fixes may change.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus