By Jonathan Yarden
To the average user, one of the great mysteries of computing is how hackers and security researchers discover vulnerabilities in applications. But there really is no magic involved with finding vulnerabilities; it just takes a lot of experience and knowledge.
While programmers with limited skills sometimes manage to find vulnerabilities in application source code, it generally requires a lot more experience to audit source code for vulnerabilities. And that's not even taking into consideration the skill and experience that's necessary to identify vulnerabilities in compiled code.
Compiled applications are basically streams of binary data. It takes a great deal of understanding of the inner workings of microprocessors to find vulnerabilities. This requires the knowledge of assembly language, a very specialized programming skill—one possessed by a minority of programmers.
Of course, it certainly seems beneficial for all computer users to expand their knowledge. And earlier this month, the Metasploit Project released a tool that it hopes will help users better develop this understanding. But as I read more about Metasploit Framework 2.0, a collection of tools for developing and testing exploit code, I can't help but remember the old adage that warns a little knowledge can be a dangerous thing.
Although released as a research tool, Metasploit will certainly find use within the hacker community. Like other virus and worm "toolkits" circulating freely, Metasploit allows people with limited abilities to leverage the skills of others to create hostile code to exploit vulnerabilities in applications and operating systems, including all major Windows versions.
Will Metasploit lead to a rash of new worms and viruses? Many industry analysts are asking this question. Exploits generally appear shortly after public disclosure of a vulnerability. This isn't surprising—the majority of people who exploit vulnerabilities are simply making use of public information. Any tool specifically designed to create exploits may encourage people who do not otherwise possess the skill or impetus to begin creating exploits.
There's no doubt that Metasploit makes it almost trivial to create hostile code. For security researchers and administrators, it's undoubtedly a great way to proactively detect flaws in their applications and learn how to better defend networks against attacks.
But for those who write malicious code, it's just another way to cause problems. Remember that antivirus companies can only provide protection for exploits they can identify and provide signatures for. If hackers released a large number of viruses and worms simultaneously, the vast majority of Internet users and antivirus companies would have no time to react.
On the other hand, before passing judgment on the authors of this tool, consider that Metasploit could perhaps do the entire computing world a service. Vulnerabilities in software are the consequence of poor programming practices. But root problem isn't that exploits for vulnerabilities exist—it's that the vulnerabilities exist in the first place.
Perhaps tools such as Metasploit might cause programmers to spend a little more time reviewing their code to look for unchecked data input areas. And it might convince programmers to learn more about the internal workings of microprocessors and better understand the consequences of buffer overflows.
When it comes down to it, hackers already have this understanding. But tools such as Metasploit, while presenting the potential for abuse, also have the potential to teach—and empower the good guys with the knowledge the hackers already have.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.