Security researcher Aviv Raff is marking Israel’s 60-year anniversary in his own way-by embedding in his personal blog proof-of-concept code for a zero-day bug targeting Internet Explorer Versions 7 and 8b and challenging readers to find it.
It’s a treasure hunt of sorts, which Raff said is in keeping with an Israeli Independence Day tradition. But it is also a spur to discussion of responsible disclosure.
“I’ve had bad past experience with [Microsoft] dealing with vulnerabilities I submitted,” Raff said. “I know that it will take them too long to patch it, unless they’ll have some sort of pressure.”
Raff described the bug as a remote code execution vulnerability. When triggered, the flaw will launch Windows Calculator, but it can be used to install malicious software on a compromised machine. He said he notified Microsoft of the flaw on May 6.
A Microsoft spokesperson confirmed that the company is aware of Raff’s claims of exploit code, but said the company does not know of any attempts to exploit the code in the wild.
“Once we’re done investigating, we will take appropriate action to help protect customers,” the spokesperson said. “This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.”
At its core, the concept of responsible disclosure rests on the question of how much secrecy is good for IT. On the one hand, keeping software vulnerabilities secret can keep them from falling into the hands of hackers. On the other hand, it keeps information about vulnerabilities away from the people who are affected, while hackers may still uncover the flaws on their own.
“Software vendors would never issue patches if there wasn’t the threat of vulnerability disclosure and attacks,” said Gartner analyst John Pescatore. “They would just bundle the fixes into the next regularly planned product release.”
Relying only on security through obscurity is a bad thing, but secrecy is still always an important part of security, Pescatore added.
“Why don’t we all just wear T-shirts with our passwords on them?” he asked rhetorically. “The same issue comes up with what information should be made public on Web sites-just because we have the floor plan of government buildings in electronic form, should it really be put on a Web site?”
TippingPoint Security Research Team Manager Pedram Amini said it is not uncommon for there to be multiple simultaneous discoveries of the same vulnerability, meaning that a flaw’s existence could be known by others in addition to the researcher who chooses to disclose the flaw to the affected vendor.
“I would argue that most published vulnerabilities are known by at least someone other than the credited discoverer,” Amini said. “Whether or not, given this fact, it is in the [public’s] benefit to disclose all details as soon as they are known is a debatable question. I personally believe that the veil of secrecy should not be pierced in all cases possible while the vendor works on a patch. If a bug that is currently being worked out by a vendor is discovered to be publicly exploited, then certainly at that point full disclosure is a necessity.”
Raff said he usually gives the vendor a chance unless he knows for sure it won’t fix the bug in a reasonable time. Microsoft certainly has taken a while to address certain flaws: according to a list supplied recently by TippingPoint’s Zero Day Initiative, Microsoft, Novell, Oracle, CA and Hewlett-Packard all have bugs in their products that have gone long unaddressed.
Raff said he plans to release the full technical details of his finding May 14, and will be placing clues on his site almost every day until then.
Responsible Disclosure Becoming Irrelevant?
According to a Microsoft spokesperson, several factors can affect the priority given to a security update and the amount of time between the discovery of vulnerability and the release of a patch.
“When a potential vulnerability is reported, designated product-specific security experts investigate the scope and impact of a threat on the affected product,” the spokesperson said. “Once the MSRC [Microsoft Security Response Center] knows the extent and the severity of the vulnerability, they work to develop a quality update for every supported version affected …[ Then] it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe.”
Does the full disclosure debate still matter?
To Jeremiah Grossman, chief technology officer of WhiteHat Security, the debate about responsible disclosure is no longer relevant. Criminals are hunting for their own zero-day vulnerabilities anyway, he said, and naturally cannot be counted on to disclose them. In addition, the turnaround time from when a patch is issued to when exploit code is released is much shorter than the time it takes for organizations to roll out patches on a wide scale, he said.
Lastly, the financial incentive for researchers to ethically disclose vulnerabilities to software vendors for free is being diminished as large financial rewards can be obtained elsewhere, he added.
“When you are talking about zero-days worth six figures, even the good guys are going to be swayed,” Grossman said. “So the idea [of] debating what exactly is full disclosure versus responsible disclosure I say is irrelevant. The conversation is simply in the wrong place.”
Still, according to Gartner’s Pescatore, responsible disclosure has its place.
“We already knew the bad guys wouldn’t responsibly disclose and we can deal with that. We just don’t need the security companies making it worse,” Pescatore said.