Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Zero-Day Challenge Revives Disclosure Debate



 By: Brian Prince
2008-05-08
Article Rating:starstarstarstarstar / 3


There are 2 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Zero-Day Challenge Revives Disclosure Debate
  2. Responsible Disclosure Becoming Irrelevant?

Rate This Article:
Poor Best
Zero-Day Challenge Revives Disclosure Debate
( Page 1 of 2 )

An Israeli researcher challenges readers to find a proof-of-concept zero-day bug embedded in his blog.

Security researcher Aviv Raff is marking Israel's 60-year anniversary in his own wayby embedding in his personal blog proof-of-concept code for a zero-day bug targeting Internet Explorer Versions 7 and 8b and challenging readers to find it.

It's a treasure hunt of sorts, which Raff said is in keeping with an Israeli Independence Day tradition. But it is also a spur to discussion of responsible disclosure.

"I've had bad past experience with [Microsoft] dealing with vulnerabilities I submitted," Raff said. "I know that it will take them too long to patch it, unless they'll have some sort of pressure."

Raff described the bug as a remote code execution vulnerability. When triggered, the flaw will launch Windows Calculator, but it can be used to install malicious software on a compromised machine. He said he notified Microsoft of the flaw on May 6.

Resource Library:

A Microsoft spokesperson confirmed that the company is aware of Raff's claims of exploit code, but said the company does not know of any attempts to exploit the code in the wild.

"Once we're done investigating, we will take appropriate action to help protect customers," the spokesperson said. "This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."

At its core, the concept of responsible disclosure rests on the question of how much secrecy is good for IT. On the one hand, keeping software vulnerabilities secret can keep them from falling into the hands of hackers. On the other hand, it keeps information about vulnerabilities away from the people who are affected, while hackers may still uncover the flaws on their own.

"Software vendors would never issue patches if there wasn't the threat of vulnerability disclosure and attacks," said Gartner analyst John Pescatore. "They would just bundle the fixes into the next regularly planned product release."

Relying only on security through obscurity is a bad thing, but secrecy is still always an important part of security, Pescatore added.

"Why don't we all just wear T-shirts with our passwords on them?" he asked rhetorically. "The same issue comes up with what information should be made public on Web sitesjust because we have the floor plan of government buildings in electronic form, should it really be put on a Web site?"

Are month-long bug disclosure events just selfish publicity-hogging? Click here to read Security Center Editor Larry Seltzer's opinion.

TippingPoint Security Research Team Manager Pedram Amini said it is not uncommon for there to be multiple simultaneous discoveries of the same vulnerability, meaning that a flaw's existence could be known by others in addition to the researcher who chooses to disclose the flaw to the affected vendor.

"I would argue that most published vulnerabilities are known by at least someone other than the credited discoverer," Amini said. "Whether or not, given this fact, it is in the [public's] benefit to disclose all details as soon as they are known is a debatable question. I personally believe that the veil of secrecy should not be pierced in all cases possible while the vendor works on a patch. If a bug that is currently being worked out by a vendor is discovered to be publicly exploited, then certainly at that point full disclosure is a necessity."

Raff said he usually gives the vendor a chance unless he knows for sure it won't fix the bug in a reasonable time. Microsoft certainly has taken a while to address certain flaws: according to a list supplied recently by TippingPoint's Zero Day Initiative, Microsoft, Novell, Oracle, CA and Hewlett-Packard all have bugs in their products that have gone long unaddressed.

Raff said he plans to release the full technical details of his finding May 14, and will be placing clues on his site almost every day until then. 





  Reader Comments: Zero-Day Challenge Revives Disclosure Debate
>>> Post your comment now!
Disclosure of vulnerabilities
One of the first things taught in Navy security in the early 70's was that "What someone can encode, someone can decode." That disclosures have...
Posted At: 05-12-08
By: oregonnerd
A user comment on this article
Hello, this is Brian Prince from eWEEK. What are your thoughts on the subject of full disclosure? How much secrecy is too much when it comes to...
Posted At: 05-08-08
By: Brian Prince
>>> Post your comment now!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}r۸j9km]mGJɖkŶ,%N"!c")_f 7]hv2TlFwh4~ 'I"gnZ΄ܦdwÀ>]K$oB}wNUQV #7((bP<HwO7n[Q0R?`᳙*,Q  tjGt0]2d6k6!o4vekOh cߨ_X&``1Zt|R!ۗ#: rWӺ%A`FA|QCѺYQy$pm<$Q}c QL6^:6 ȅC׷z$nRv'n7oR 205I2Z [XdTZ wӑku8r 08juj=nf,n@w(\'p}j F1 9,!\ZIa^_y yN <:tQV_սyo@בnL|wdۯa-wQKw T6'>6L) |HCɤ:Zdq}9e,f4öCCٰo5RrXJyy+^+Y-\h7FssL(eu7ٺsm%k%m{|NsvF5yvty/g@o&3W`ZLTQRpf Rc@G'Y_G5}(ĭ~o[%MR?4,fϷ 3+i3*,GѠ-?[:U!UsY6f0ZiCA+WtW?c[ˠjq}Ҿ~^{}rһ"qɝF4pgs Z_Zz`CėvO|3R?&:aZ+}I-Ef;|io]~8:$ץcYn0dN`mY\H!-O|T|Y|ԛE34 i[2)=-8oX@/@שS A4VtBmT7oh2 f4 .ͭFh- @ho*K>Lr &@Sk~$GM\5ņ])!edJS{봀/^$P!P샖_. jNTwEQS'=^f&/\RD3Al8{ÄWTwsQ iz|28E]7kDm.-s5-wjcZVp3itZW6_.=t[:0*>cq4Y`A-. 8ù:on:j~b:o}52o+r%(NMf[ԑplPòǔIzݿaAgEy|FMk>ktI=DC#ɠ:ڴ;\VS4!&-Ѐ 'pbdx: # 0f4mLH#AтMtT8n]`2Z9ܹ L& zVtc` VGPC!nH }P(Vr`{nȲc@|j JG@i0xzۢ dSJJd$D!-i]R@Az< -,rrl++~'~vGBj+6ODs@PGҙ;qjr_)̄rZ z)2ٜʬ$3Mf힟 X*ȉ#o"0%X -gZ Xk5Ʋ fj~iڛ-Â%bi]ym,`b I[$%\Ew,t3Awp=7߄s ڷ`T4fsSڶMS}77UBsNHB/W2 \_&VAB5 6d:ɤPl';oWfLZ`!?ՊRRՄiO5 &^PGe d^ `M`Rc׶ݻ| :lF֝<}Zj[<>9Q>5 < ıςL׃RUaT8j]~VwVV0\n}OДa˘;|qדNl*IrIQ)kMf9oLI3ۊhȈ0Aq_8R" @548~x *O$BZ--UŨN=M =7`q0zK&O>qӞrFVyYBYa0OykR^K?N aYj8+0yϹoǼL ʐixG2gdYJhUm{\ cw2|>?/$,RQv+Ձ΀LdV֪EzXz,)uzh &RrEE7uȋ­7:P$#I(OU?2j_JZVϢ C.zFpiEB֒%3qܻB-ܟ`@O|CZO]TK0enzIMYIzQK #nK-%. ހذ:zf(tם.f secn?f&s,.Ҟi:-ef{F*ݔYsVR$gI#g?amE:JbI2N=y}5umf`<#ɟ?9?pwP7| o>eM+v@lkZpw|L2M: {G ɲ\' ׫UVگ]q.g$ ,$,zǣx]!6p),|ίrH`QUE[ꞷuhClYj2e'A)hdQL?jnWOVݽx']wѳ `yB蕣`;p[WKǽ?wHκ)ޠw)z0WF:뾻8`9P*aӺ@>m48 Z&IĘ 3^6Q}A5 q];WY0z!B3ZOUc)zF E0ע:M?vVCp01zB@+䴨~Mb۽cscE)vwR6x}y9b1?ݾne)ܱr0jw;操~;Oj9vЛ3LةEݘtvzNhs3 {c1Tuv0؁H.Ero5 W&k Omzcl3ȲÈǥܷrtg ހ+Һ485L:0g,H~"['|$A1|_MuSOF 95C/3r°y}l(=hG_t?vOJw{ѧmE4 tijVTcf;i6$BUU+jA\EVe.tїN|2<9:k ,Fsd3rT?#ziВ116onP;54zCAcIU~(TR-n .aO"J骇\v%(c|MU,^RRMJ>\%k@" bY_BIKwvzYN ĦW=1_3~1O O=qԱفȣCX ?*4lo`zU`[ʅ=RH3xH <v<..߮ݘ8)<A~A< vL4)[+xJF}ia3⫆†u õQ`Vaj8-7OI$|#؈oO_Oo*NƊ f™+ꈧ W/5;US Mk!/1 %C%h3[Q@)7#_ƥE/.qh&pjwx7FX#NvE<:KDg \iDI#/7F{_p|KKV!-m8X6% pGnPщtf9[N&Ce.P/1H݁!K}g!=u更BbG5=9&ext9mNS^>vc"Q2ގmŹOh'5XR1f}]tRԎdlU+ tbxl/Æ}ȺMph=g$H,UV5\4f5%qSdP7JmjDZڢIo!~#=ڌh, :Fl0E@ǗǪ ާ64}TJƤh2#O^ _sFl"P]ɈK֏TO1"Sc˟RW0Թ@Q_L}?H6"ATJ:~)[:M"$MIBE{Ȉ7A>ϡI//ߊ*y 7%UɼԾ W~p  :Q:JnGue#֌Ȓ Z @,Qȵ̤ONʦZeٳ f?.TJF,ʁ(D$Vr{,sDh>Mno緾tbA(t !Y5 #+J#F ! j\#o>-mnQy+IJXgS8t]6M*RR5iDl8B-NGk>V WeS8CD}*:(u2iS=ዘ&  :,5d["īpnnW+FJ 03R Z@'{"Sզc fgnԙЍeTDb@ߪpnnW[F$Xθ[yUΈŝ߽߽߽߽_Z-ת{]-uqXOafi ?_\]QHWN|Ebײַ}'|"Qjo8t/lR\dq?P;onrp-fN>: RۥEkFAHIX@X\VGxoos͢xRפTTUFvhi~{;)oRtP|&4rKQ VIEr@N2I0d(ϒAb*kP8M Jr4Jdi> .qr0 r},IH؟[!]i. ir_ fMPmnXqAy |9Ճ9' 1:˓~=8ܮ$e|;IGopsI?=I<++++w%+R/J.0ayI`Z诬&S0m0YA $!e*g0e1BX?11ڛܴLV` m9&m钺Mq1pMa=$v(ޭD8$coEDqonv|WbJ:X>Ǯmx0F+;MD7chtkS+0&GOI2/fXT Mj}mV88%5 yf #,"D Et$'lۃ!):9v7(Aؙͭ 7]WJ族YHax.tM^8xU]?ܴܯ+Uh4W<,xQ"\ʂ7YC;z ˄d}32D#CH/2,]t@gqmw(3=i-~ N|k}OQziމ0tgW~Evz\^o5P<g3wk{Re[_gu:\s l{tS.Do'@e}_|kN ksnziT&Z)a z[ASkXԍ^mCl(I#xۀچձ|5(H^uσdUoko#fE[u^)Kcjhk;5ߠmlC~zlï~JYf-e։5|V$.b*ΘhVP2]QTKop#@d|H`Y+ Z!ǎ[; I77^G%H:+Ӈ"t?A* nO2Ť8,h6Ef`a3/0I_7nmJL=ǔuTǏ;'k~;;ѥ٧0G_[L" M!pl xt${ē;!qG2bDݵZ/3Z䏅B/o 7K.He _M!Aa[D0r a B6?7}:Dq0 vNz@YmӶ,5v1h}P2D#%1d(c$\gs4V5Śx KE4j=="@Ÿ Rxc) +hWۏAE!Lj]A%ee3-t{ (-\"ΙTh,ZNtGPĥkc.эZMWWK.KBG2K*ߕlW1 {BZĻITeskɧj*V+iT-A8^i1=hs|YM13цX50yfB׵GavDW&e|W@O[fkhP♛U֝U&S7ƔgGE[TxSvXp=vd'!ZƒM2Ӱp-c| Y?NRUFwifӨzVCTj~vȟ_ C)5^VC,F&RqhJ#gxԹ5Kz /}\pY$XkO:Vga^N0wRʥz5yGRa )d 0MQFs,飏ji+TJ M?; n9θ/쇰|pP[}1W-fgqE/jSx+E"ot#㽽WԄm$5DXc%NMgD]%AJ%՜B->#Թ|IU_tyZܾ\`{1䬼2lmEUk)7g%.0,%S9ݱ=X z=jX:N#RF¯9̪ f=0YUTbtb71Ք7ZvN[{Nd&׈1 ey8S_+@ZBB(YYv' .'G>Vv/?VHzՕׇd}extꐯJ"(HF۶6;+c.c2oV0!wAG>p2zUR=U&=hxqـjEl~%:td6ɭ:&&sُp`3'&ΐ!,E|E|z['AU}>l1d]+62 1jLlo/u\w:Z3rѹuU=<LG ]ptq=*x ޤ3\q\" CRO⺢ 2XpwFH]ԅي_!G\oX|J7b75|$rkIC9Ҍ]ooFE_WJێ^䰟aD9p=Sa-.ȘhD MQ VHxLirtNnOKZ&6@@P0H47׷@! F$%xL1fH'͈))FH ACa{c{%H"V|8snj}J" rۗzJ,g c)]N*@`g*#!L)%n67p>9/´2 s`EPf00aLn?we~t6&Y!fF5KjltQQ({b8Mt?؃3,ȏWHmݜ(8z1I)t#K/Hzsdp򍵡H@P!bJ])IdR|:TJ|+R0cU+_Pw^7D z+YT( I+1;}^oih t0 c3brLufcٺ;eIȱkh71MTQ`1D'M&7bS9HShF&5+:v<)s?C+(Z_~NmS>X_;9P~sCww9?/?vmC9CL"~S ?/?g9j9s?y9=缏9y^?攟BiN?9P~S{3 ?9sw3~=/=?/9q _s?}?W(u}9?~sCk(+kh:kKu3Ay+GZpz~;29)G9R{WK}(gUsV^Va{CjgU_?Gޫ@OIܽ< aqʍz^S_xڙ閽pLڭe]9hwp_l(%^a/ ^敽< xEB+gٔ@#X{#uO'NW6#ﹺ d^)WsM}Ӊ{Z?Ś/Yy<qLkbžȁ>l>(c#h .Ǒrۿ?|k2yi8?{o\pm`L߱V-ahOW. iMogn\[Dpqk;O΋kwՕ |3/߆zI':+;PxZLܸrpoQ^" #"5 -'`<[`oeZ7㌰6և{ C:We]=tF}Yʪ9(ѰH7Ejorx s{)螩z$ MW 7\xќď;ppCö0A |$U˚VVk[*j f{DDç*R'Ӏe`_)&K<# .=M^et fMȡ!pAfJ-@ P }:Yl*iۼx`TS;i@9$Lo9Xj,.#v2'Q+<ƝC+4X pov1R {{[2gډe:ɇ`|I8SkCӄY"D˼xl4@[4Dr(9Pų l1@ҙ z93IN hJ/.ݳx]KQ,Vk*k`Vep-c6O-5U,%O|uI^.˃a-Cx`b̜#M^`yC0H罽-x6 ,L01i!nf92wjIc3̸&S$}(a3 ӮS_>w4'" Iݏ6ИYCƊvsFdu#aq1<̡Pnl@PJmXv瘴C. S@e8>cc>m=]wrl#kvܙ%.H_Kwo2 2`+93Fqxs4I(KESX^ Ղ]#rF331#qyU YT8T"6aNm% 1oE)R%:ek[eA`+/2^;'g^!͖9kng>K:;33U)ւ_./gзǁ/K{KV9((& ]a1W%N_T~7)JrHIhC>~EE~!OG ϿayHO(t&Iw`R11|j;;1TeΝ[QYɶy SO~l]O(#oݒ珸6x}҂ ]@1Su Ыv>cx Ln2LjWݜ햏 Xo| 8jO.d6CF|gKPo!zQ;`KL\}0uGĦrCR2kepwR K?9399 3/&U@DqLgHvyGml<^:yl떮EOfu ݎüȶJ{]!Kb CamR>ǔK ]'[٧3й?-R/e[͌;_X (K# LIN8u vKѪ N7"aaNo0n,$9&@ Rs=Vcm;p3z2 9Qm`-N \70(|Nuu ۊ|Va=vks`cΜ6 *χŀ{̾1^f#9uVedg)C2^#s!?"LnH2m^^kti( aavXˣŬ"D0Ȯ'/'R!la,!r3 KEj F.t3R04OyqBQəȩ8v}_|JѬod;j +sOg |>"2Ƹ(+n:' 7X;EkB(Ozu=tC*G꛺UF7ϝ>!2T!6xN`Eqwş7uUE[*(K- QwdA0}e^KWzv C&ȕ/2F#oUA,jU z' l5mEgl3W'J^R۝7z"f/ROa6%s|N1VKi+n^ϦO*L㇅ wm&l2)v}mb-c6C-;-A'