There is a war going on, but this war is different. It’s a war that’s not fought with ground troops, air power, or artillery, but with ones and zeros. But as far as IT is concerned, it’s still a deadly game.

Recently a Moscow-based security research firm named Intevydis announced that rather than follow the standard method of disclosing security holes called “responsible disclosure” (basically reporting findings to a compromised vendor first so that the vendor may then repair/patch the issue before it’s made public), they would publish their findings without first informing the vendor–so-called “full disclosure.” In the words of Evgeny Legerov, founder of Intevydis: “After working with the vendors long enough, we’ve come to conclusion that, to put it simply, it is a waste of time.”

“At issue is the pesky ethical and practical question of whether airing a software vendor’s dirty laundry (the unpatched security flaws that they know about but haven’t fixed yet) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secret. There are plenty of examples that show this so-called “full disclosure” approach does in fact prompt vendors to issue patches faster than when privately notified by the researcher and permitted to research and fix the problem on their own schedule.”

There are examples of vendors that apparently require the assistance of these security researchers to fully address non-public security issues, for example – Adobe screw-up leaves Flash flaw unpatched for 16 months:

So what happened here? We picked up the bug as a crasher when it was filed on September 22, 2008, and were able to reproduce it. Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch. The mistake we made was marking this bug for “next” release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue.

It also seems vendors are quicker to issue patches once the bug becomes public – With bug public, Oracle rushes out WebLogic fix:

Oracle has rushed out a patch for its WebLogic application server, two weeks after a Russian security researcher posted details of the vulnerability… Oracle issued its most-recent set of security patches on Jan. 12, but was apparently forced to rush out a WebLogic patch after security research firm Intevydis went public with details of the flaw on Jan. 23.

There’s also a bit of a PR battle going on, with some news organizations using what I call the “big scary headline treatment,” for instance – Microsoft knew about IE flaw for months:

“Microsoft knew about the critical flaw in Internet Explorer (IE) that was recently exploited by hackers to gain entry to the systems of Google and at least 20 other big name companies… “As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September.”… The news will come as no surprise to many security watchers, although it highlights what some have described as an inadequate system of ‘responsible disclosure’…”

However, if one actually reads the supporting MS blog posting, one discovers that while the headline is true, it’s misleading. There’s more to the story:

“As we noted in our blog post yesterday, this Internet Explorer security update was already planned for release in February.”

So while Microsoft was aware of the issue since September, they also had been working on a patch for it and that patch was due to be released in February, but the release date was moved up once the flaw became public knowledge. There’s no mention of this in the itnews.com article.

And now we have the latest salvo to be fired: Attack code for Firefox zero-day goes wild, says researcher

A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla’s Firefox browser. The exploit – which allows attackers to remotely execute malicious code on end user PCs – triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis.

I’ve highlighted examples from only a few vendors on the various fronts in this security war, but rest assured: this is an industry-wide problem and an ongoing one with new vulnerabilities found practically every day. As an IT admin, one sometimes gets the feeling we’re trapped in no-man’s-land, unsure of which trench to call home, waiting for the next shell to hit. Hopefully not so close to our position that it takes out half our infrastructure–or worse.

Do vendors need to work more closely with security researchers? Is there a better system? I can understand why researches get frustrated when vendors don’t seem to address issues quickly, but also do not support the policy of full disclosure because sure as (expletive deleted) those shells will be raining down around IT, business will take a hit, and administrators will be left shell-shocked.

Which side are you on? Are you, like me, reduced to praying for a truce? Because patching after the exploit goes public is like clearing a minefield with half a map. Sooner or later… boom. Let us know your argument for either side (or both) in the comments; we’d love to hear your thoughts.

• Share