Handling Security

Handling Security

When somebody discovers a vulnerability in an application, they should report it to the vendor. It can happen that the reporters give a deadline by when they want to make full disclosure of the vulnerability, but usually the reporter and the vendor work out a disclosure date that makes both happy. If the exploit is not clear, both work on details and a PoC (proof of concept). When a fix has been made and a public release is available, both the reporter and the vendor publish an advisory. The vendor usually credits the reporter in the advisory for the discovery of the vulnerability.

It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds - and vendors do not announce vulnerabilities before the reporters make their discovery public, in order to properly credit them.

This is how you handle vulnerability releases, unlike those who report IE vulnerabilities without first notifying Microsoft.

Thank you for the infor :slight_smile:
What are you trying to prove ???

Al968

That vulnerability releases for Firefox and Opera are handled more professionally by notifying the developer and waiting for them to release a patch before publicly disclosing the vulnerability.

That’s true, but the reason for that is because Mozilla and Opera (specially Opera) don’t take too much time to fix the problems. Microsoft is now more concerned on their update servers bandwidth.

Nonsense you see deliberate public releases of vulnerabilities for IE the day after Microsoft’s patch cycle.

These do not emerge the day after patch Tuesday because some smart aleck hacker is trying to embarrass MS, but because some bad-ass criminals want to give themselves as much time as possible to exploit the vulnerability. These are zero-day exploits in that the first anybody knows about the vulnerability, there’s already an exploit and attacks have started.

http://blogs.zdnet.com/Ou/?p=390

Yeah these “criminals” report the vulnerability the day after to security researchers? Please. Give me a break. The criminal already has the vulnerability and is exploiting it. And no the security companies are not even remotely quick in picking these up.

No, it’s the exploit code that emerges into the wild- I imagine they are seen on underground websites.

Hi FwF,

I think that it all evolves around money. Sitting on a vulnerability to disclose it at the right moment is also a way of making money. There are other things that come into the bargain. Security through obscurity. Do we know what is still insecurely coded and waiting for us down the pipeline. I like the people that play open and discuss patches.
I test the flock browser for what it is worth with the TestGen4Web navigator and Tamper Data, Web Developer, JS View, Java Flock Extension, tried out a special Flush and Collapse script inside its components to improve mem handling, loaded a Mozilla seckey into it, several improvements so the favorites can be handled just like the other menu items, re-patched and added some script items inside components, have the Flock wiki code bar installed. Well I do something towards browser security. Well the first line is try to grasp where it is at. When you add an extension and your favorites won’t load, there is something wrong. If everybody opened up the javascript console for errors and started to work from there, we’d be a lot better off.
What do you think?

polonus

Hi Polonus,

I’m pretty sure a lot of these attacks are a way to make money, rather than just an attempt to embarrass MS. I found this story which seems to confirm this:

A Microsoft PowerPoint presentation circulating via e-mail is the latest example of a 2006 trend in which paid-for-hire Chinese hackers target Western businesses with malicious Office documents, a security researcher said Wednesday.
IDefense said that the crew responsible for the newest Office attack was Chinese, another similarity with the summer's Word and Excel exploits. Calling the writers "hackers for hire," Dunham said that the rapid shift in China from politically motivated attacks to for-profit hacks is "a cause for concern."

“They’re getting paid a whole lot of money,” Dunham said. “The capitalist attitude is infiltrating Chinese hackers.”

http://www.informationweek.com/news/showArticle.jhtml?articleID=196702154

What’s the need of having patch cycles anyway? Do Mozilla and Opera have patch cycles? Of course not! They patch as soon they can. Microsoft is more concerned not to have many updates served by their servers.

By the way, Mastertech, do you have your copy of Vista signed by Bill Gates?

http://forum.avast.com/index.php?topic=25839.0

Anyone who has an unknown vulnerability can make plenty of money exploiting it themselves. Disclosure of vulnerabilities are released for other reasons all the time:

Daily flaws ratchet up disclosure debate

As the creator of the Metasploit Project, an open-source tool for automating the exploitation of vulnerabilities, Moore has had his share of contentious debates with other security professionals. However, his latest endeavor--releasing a browser bug every day during the month of July--has raised hackles on both sides of the security equation, among the black-hat as well as white-hat researchers.

After the first week of flaws were released, one online miscreant from Russia shot off an e-mail to Moore, complaining that he had outed a vulnerability the Russian had been exploiting, Moore said…

Patch cycles allow IT departments to easily handle updating and testing. Microsoft understands this. Microsoft has been incredibly aggressive with patching over the last three years, yet people still complain. Prior to the monthly patch cycle you got updates whenever.

Q&A: Microsoft exec defends monthly patch cycle

[b]Q: This is not the first time that an exploit has become available for an unpatched Microsoft vulnerability. Is it causing you to review your patch-release cycle?[/b]

A: We don’t want to release an inferior-quality product. We always have to balance the timeliness of the patch with what the current threat is to the customer base. I don’t think we want to change that balance. If the threat level becomes severe enough, we will release something out of that. But we try to limit our out-of-band [releases] because what our customers have asked us to do is to be predictable.

In this particular scenario, you should know we are not happy with the process this went through. We have an outreach program for vulnerability finders. We work very hard to do responsible vulnerability disclosure, and by somebody not reporting this to the vendor, it is the customers who are paying the price.

[b]Q: Is a monthly patch-release cycle good enough any longer?[/b]

A: We are always evaluating what the right cycle is. So far, the customer feedback has been to stay on this one-month cycle and to monitor how many of these out-of-bands we actually have to do. The last one was in January, and the previous one, I think, was 22 months before that. So if you really look at it in the overall context, it has been a pretty limited number.

We just did a CSO summit in February, and we thought people would be concerned about there being a third-party solution [for the Windows Metafile flaw] We asked if Microsoft should have [released a patch] sooner. And they said, “absolutely not, you chose absolutely the right thing to do.”

IT departments need flawless patches not quick fixes. Any competent department can easily work around just about anything.