I believe that knowing about a software vulnerability is better than not knowing, and I've had a running argument with Microsoft regarding open disclosure of software vulnerabilities. Microsoft maintains that it often needs more time to fix a flaw and, therefore, would prefer to work with the discoverer privately. That's fine, but Microsoft has also been known to punt on significant vulnerabilities in the past, vulnerabilities that were patched only after the discoverer went public.
 |
Microsoft has also been known to punt on significant vulnerabilities in the past, patched only after the discoverer went public.
 |
|
On the other hand, some security researchers think that major corporations can roll out a patch for their given flaw in just hours. I understand that that they often can't, but I also want the ability to switch to Mozilla Firefox or Netscape as my default browser, should I learn that Internet Explorer will allow a remote user access to my desktop.
Oracle was recently accused of waiting more than two years to patch a known flaw; a security group, Red Database Security, published the flaw last week. In response, Mary Ann Davidson, chief security officer at Oracle, recently wrote an opinion piece on News.com defending the actions her company has taken against researchers who threaten to sell the vulnerability information to a security company or expose the vulnerability at a major security conference, such as Black Hat.
What a coincidence.
|
In the hands of someone malicious, Lynn said, an exploit of this flaw could destroy the physical hardware that runs the Internet.
|
|
Intrigue at Black Hat
At this year's Black Hat, Michael Lynn, a security researcher formerly associated with Internet Security Solutions (ISS), was expected to talk about a Cisco IOS Shellcode buffer overflow vulnerability. However, the day before his presentation, when conference proceedings documentation was handed out to attendees, roughly 10 pages of the massive, phone book-size tome had been ripped out; Lynn's presentation was missing. Also, the CD-ROM for the conference proceedings was delayed until the end of the conference. But instead of canceling his presentation, Lynn showed up...and dropped a huge bombshell. He said was able to remotely gain control of a Cisco router, thousands of which more or less form the backbone of the Internet today. In the hands of someone malicious, Lynn said, an exploit of this flaw could destroy the physical hardware that runs the Internet. Although now legally barred from discussing the specific exploit, Lynn said later, "I felt [Black Hat] was the right forum...I did not think the nation's interest was served by waiting another year." One day after Black Hat ended, Cisco published a detailed advisory on the router flaw.
Vulnerability reports for hire
Despite Cisco's legal wrangling, other companies continue to encourage more software vulnerability discoveries (come on, we all know they're out there). TippingPoint Technologies, a division of 3Com, used Black Hat to announce its new Zero Day Initiative, where Zero Day is security parlance for unknown vulnerability. The program provides financial incentive for independent security researchers to report new software flaws.
|
Over the course of this year's Black Hat Briefings USA, at least 15 new vulnerabilities are expected to be announced.
|
|
The idea isn't entirely new. iDefense, now a part of Verisign, has offered a similar incentive, Vulnerability Contributor Program, since last year. Under this program, payment is determined by a number of criteria, including whether the problem is a vulnerability or an exploit of a vulnerability, as well as how much information is provided. In addition, at the end of each quarter, the top five contributors are eligible to receive reward payments of anywhere from $1,000 to $5,000.
Over the course of this year's Black Hat Briefings USA, at least 15 new vulnerabilities are expected to be announced, as well as 15 new security tools introduced. In the coming weeks, I'll be writing more about flaws discovered within antivirus apps (bet you didn't think to look there), in drivers used by Windows to recognize USB devices (such as mice, keyboards, and storage devices), and more. I, for one, think knowing what's out there and what it might do to my computer lessens my fears and empowers me to make smart decisions about my desktop's security.
New CNET Security Center
All this talk of new threats, new patches, and the ever-growing controversy of when the public needs to know has led me to the creation of a new door on CNET. The CNET Security Center (launching on Monday, August 1, 2005) gives you one-stop shopping when it comes to security product reviews, downloads, and late-breaking security news, such as a new virus or threat or an important patch. I appreciate your feedback, as this is an evolving page, as dynamic as the Internet itself.
Should software vulnerabilities be made public? Talk back to me.
