Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management

    Zero-Day Challenge Revives Disclosure Debate

    By
    Brian Prince
    -
    May 8, 2008
    Share
    Facebook
    Twitter
    Linkedin

      Security researcher Aviv Raff is marking Israel’s 60-year anniversary in his own way-by embedding in his personal blog proof-of-concept code for a zero-day bug targeting Internet Explorer Versions 7 and 8b and challenging readers to find it.

      It’s a treasure hunt of sorts, which Raff said is in keeping with an Israeli Independence Day tradition. But it is also a spur to discussion of responsible disclosure.

      “I’ve had bad past experience with [Microsoft] dealing with vulnerabilities I submitted,” Raff said. “I know that it will take them too long to patch it, unless they’ll have some sort of pressure.”

      Raff described the bug as a remote code execution vulnerability. When triggered, the flaw will launch Windows Calculator, but it can be used to install malicious software on a compromised machine. He said he notified Microsoft of the flaw on May 6.

      A Microsoft spokesperson confirmed that the company is aware of Raff’s claims of exploit code, but said the company does not know of any attempts to exploit the code in the wild.

      “Once we’re done investigating, we will take appropriate action to help protect customers,” the spokesperson said. “This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.”

      At its core, the concept of responsible disclosure rests on the question of how much secrecy is good for IT. On the one hand, keeping software vulnerabilities secret can keep them from falling into the hands of hackers. On the other hand, it keeps information about vulnerabilities away from the people who are affected, while hackers may still uncover the flaws on their own.

      “Software vendors would never issue patches if there wasn’t the threat of vulnerability disclosure and attacks,” said Gartner analyst John Pescatore. “They would just bundle the fixes into the next regularly planned product release.”

      Relying only on security through obscurity is a bad thing, but secrecy is still always an important part of security, Pescatore added.

      “Why don’t we all just wear T-shirts with our passwords on them?” he asked rhetorically. “The same issue comes up with what information should be made public on Web sites-just because we have the floor plan of government buildings in electronic form, should it really be put on a Web site?”

      Are month-long bug disclosure events just selfish publicity-hogging? Click here to read Security Center Editor Larry Seltzer’s opinion.

      TippingPoint Security Research Team Manager Pedram Amini said it is not uncommon for there to be multiple simultaneous discoveries of the same vulnerability, meaning that a flaw’s existence could be known by others in addition to the researcher who chooses to disclose the flaw to the affected vendor.

      “I would argue that most published vulnerabilities are known by at least someone other than the credited discoverer,” Amini said. “Whether or not, given this fact, it is in the [public’s] benefit to disclose all details as soon as they are known is a debatable question. I personally believe that the veil of secrecy should not be pierced in all cases possible while the vendor works on a patch. If a bug that is currently being worked out by a vendor is discovered to be publicly exploited, then certainly at that point full disclosure is a necessity.”

      Raff said he usually gives the vendor a chance unless he knows for sure it won’t fix the bug in a reasonable time. Microsoft certainly has taken a while to address certain flaws: according to a list supplied recently by TippingPoint’s Zero Day Initiative, Microsoft, Novell, Oracle, CA and Hewlett-Packard all have bugs in their products that have gone long unaddressed.

      Raff said he plans to release the full technical details of his finding May 14, and will be placing clues on his site almost every day until then.

      Responsible Disclosure Becoming Irrelevant?

      According to a Microsoft spokesperson, several factors can affect the priority given to a security update and the amount of time between the discovery of vulnerability and the release of a patch.

      “When a potential vulnerability is reported, designated product-specific security experts investigate the scope and impact of a threat on the affected product,” the spokesperson said. “Once the MSRC [Microsoft Security Response Center] knows the extent and the severity of the vulnerability, they work to develop a quality update for every supported version affected …[ Then] it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe.”

      Does the full disclosure debate still matter?

      To Jeremiah Grossman, chief technology officer of WhiteHat Security, the debate about responsible disclosure is no longer relevant. Criminals are hunting for their own zero-day vulnerabilities anyway, he said, and naturally cannot be counted on to disclose them. In addition, the turnaround time from when a patch is issued to when exploit code is released is much shorter than the time it takes for organizations to roll out patches on a wide scale, he said.

      Lastly, the financial incentive for researchers to ethically disclose vulnerabilities to software vendors for free is being diminished as large financial rewards can be obtained elsewhere, he added.

      “When you are talking about zero-days worth six figures, even the good guys are going to be swayed,” Grossman said. “So the idea [of] debating what exactly is full disclosure versus responsible disclosure I say is irrelevant. The conversation is simply in the wrong place.”

      Still, according to Gartner’s Pescatore, responsible disclosure has its place.

      “We already knew the bad guys wouldn’t responsibly disclose and we can deal with that. We just don’t need the security companies making it worse,” Pescatore said.

      Brian Prince

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×