No Zero Day this July

For no apparently technical reason, July has traditionally been a bad month for the security world. Major vulnerabilities have been announced (i.e., the Cisco IOS hole revealed last July 18), exploits have been released, research findings presented by security firms trying to demonstrate their level of expertise, and past presentations at BlackHat and Defcon (always held in July) have covered previously unknown vulnerabilities.

But July 2004 was relatively quiet, security-speaking. There were no major vulnerabilities actively being dealt with around the time of the premier hacker conference in Las Vegas, which usually lead to discussions in the hallways, at the bar or around the pool.

Attendees at BlackHat were clearly disappointed that the “Zero Day” track of presentations did not include anything new from security researcher David Lichfield of Next Generation Security Software in the UK. Litchfield is famous for finding many problems in the database world, like the SQL vulnerability that led to the Slammer worm (see a story on Litchfield’s findings here). This year, he was expected to release more, but instead he explained how he has in fact found more vulnerabilities, but can’t announce them. He gave no explanation.

Well, I guess there's always next July.