The long-running dispute over when to release vulnerability information escalated last month into a bitter turf war among several security companies, all of which claimed to have their customers best interests at heart. And while it might have started by coincidence, this latest dispute illustrates the need for a formal, documented method for reporting security vulnerabilities, according to industry experts.
The flap began June 17 when news of a serious vulnerability in the popular Apache open-source Web server software hit security mailing lists. First to report the flaw was security vendor Internet Security Systems Inc., which released an advisory the day it discovered the problem. The ISS advisory included a piece of code that the companys X-Force research team said would close the security hole. At the time, no formal patch was available.
The Apache Software Foundation, in Forest Hill, Md., which maintains the Apache software, released its own advisory later the same day, which not only criticized ISS for releasing its advisory before a patch was ready but also claimed that Atlanta-based ISS patch didnt fix the vulnerability.
The CERT Coordination Center, in Pittsburgh, which acts as a kind of clearinghouse for vulnerability data and often coordinates its efforts with security researchers and vendors, published a bulletin that afternoon as well.
The notification barrage, which left users with a mix of contradictory information about an operating system on which many businesses rely, apparently occurred because several security researchers found the Apache flaw virtually simultaneously.
While ISS was preparing its bulletin, Next Generation Security Software Ltd., which had also discovered the problem, contacted CERT and The Apache Software Foundation, alerting them to the problem. Apache developers said they wanted to coordinate the release of the bulletin with CERT, to which NGSS agreed, according to a note posted to the Bugtraq mailing list by David Litchfield, a well-known security researcher and co-founder of NGSS, in Surrey, England.
“Of course, with a premature release from ISS many are now left vulnerable without a patch,” Litchfield wrote.
Marc Maiffret, chief hacking officer of eEye Digital Security Inc., in Aliso Viejo, Calif., also joined the fray, saying that the early release of the vulnerability data will inevitably lead to active exploitation of the flaw by crackers.
“Since there has actually been many chunked encoding vulnerabilities released lately, and exploits [for Win32], it only makes sense that it will take no time for someone to develop an exploit for this Apache Win32 chunked overflow and then start using that to break into systems,” Maiffret wrote in a reply to Litchfields message.
ISS officials said they saw no need to keep the vulnerability secret for a long period because it had developed a patch for the flaw. “ISS was not aware of other researchers discovering this vulnerability nor aware of it in the wild at the time of the advisory,” ISS Chief Technology Officer Chris Klaus wrote in a note on Bugtraq. “We do not view this as a race to beat other researchers to releasing an advisory but a race to protect our customers in a timely manner.”
But this did little to assuage the anger of Apache administrators, who saw ISS actions as indefensible.
“The belief that you can just issue a patch and consider the problem solved shows a complete lack of understanding for the software development process. Review, testing and [quality assurance] are all part of that process—a third-party patch is no substitute for those,” wrote one respondent to Klaus note.
The Apache “chunking” problem is a prime example of the kind of situation vulnerability-reporting reformers have been trying to address. In March, Chris Wysopal, director of research and development at @Stake Inc., in Cambridge, Mass., and Steve Christey, lead information security engineer at The Mitre Corp., in Bedford, Mass., drafted a “Responsible Disclosure Process” document and submitted it to the Internet Engineering Task Force for consideration as an Internet standard. But the IETFs security section decided it didnt fit with the bodys main mission of developing technical standards for Internet operations.
Wysopal and Christey, who are both well-known in the security community, said they hoped that the document would be an important step toward a uniform disclosure policy. The pair are still considering their options for the document and have talked about creating an independent organization if no existing body shows interest.
Related Stories:
- Exploit Code Released for Apache Flaw
- Apache 2.0 Beats IIS at Its Own Game
- Commentary: A Bad, Bad Situation for Apache Sites
- More Security Coverage