Zero-Day Challenge Revives Disclosure Debate

An Israeli researcher challenges readers to find a proof-of-concept zero-day bug embedded in his blog.

Security researcher Aviv Raff is marking Israel's 60-year anniversary in his own way-by embedding in his personal blog proof-of-concept code for a zero-day bug targeting Internet Explorer Versions 7 and 8b and challenging readers to find it.

It's a treasure hunt of sorts, which Raff said is in keeping with an Israeli Independence Day tradition. But it is also a spur to discussion of responsible disclosure.

"I've had bad past experience with [Microsoft] dealing with vulnerabilities I submitted," Raff said. "I know that it will take them too long to patch it, unless they'll have some sort of pressure."

Raff described the bug as a remote code execution vulnerability. When triggered, the flaw will launch Windows Calculator, but it can be used to install malicious software on a compromised machine. He said he notified Microsoft of the flaw on May 6.

A Microsoft spokesperson confirmed that the company is aware of Raff's claims of exploit code, but said the company does not know of any attempts to exploit the code in the wild.

"Once we're done investigating, we will take appropriate action to help protect customers," the spokesperson said. "This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."

At its core, the concept of responsible disclosure rests on the question of how much secrecy is good for IT. On the one hand, keeping software vulnerabilities secret can keep them from falling into the hands of hackers. On the other hand, it keeps information about vulnerabilities away from the people who are affected, while hackers may still uncover the flaws on their own.

"Software vendors would never issue patches if there wasn't the threat of vulnerability disclosure and attacks," said Gartner analyst John Pescatore. "They would just bundle the fixes into the next regularly planned product release."

Relying only on security through obscurity is a bad thing, but secrecy is still always an important part of security, Pescatore added.

"Why don't we all just wear T-shirts with our passwords on them?" he asked rhetorically. "The same issue comes up with what information should be made public on Web sites-just because we have the floor plan of government buildings in electronic form, should it really be put on a Web site?"

Are month-long bug disclosure events just selfish publicity-hogging? Click here to read Security Center Editor Larry Seltzer's opinion.

TippingPoint Security Research Team Manager Pedram Amini said it is not uncommon for there to be multiple simultaneous discoveries of the same vulnerability, meaning that a flaw's existence could be known by others in addition to the researcher who chooses to disclose the flaw to the affected vendor.

"I would argue that most published vulnerabilities are known by at least someone other than the credited discoverer," Amini said. "Whether or not, given this fact, it is in the [public's] benefit to disclose all details as soon as they are known is a debatable question. I personally believe that the veil of secrecy should not be pierced in all cases possible while the vendor works on a patch. If a bug that is currently being worked out by a vendor is discovered to be publicly exploited, then certainly at that point full disclosure is a necessity."

Raff said he usually gives the vendor a chance unless he knows for sure it won't fix the bug in a reasonable time. Microsoft certainly has taken a while to address certain flaws: according to a list supplied recently by TippingPoint's Zero Day Initiative, Microsoft, Novell, Oracle, CA and Hewlett-Packard all have bugs in their products that have gone long unaddressed.

Raff said he plans to release the full technical details of his finding May 14, and will be placing clues on his site almost every day until then.