Comments on: Responsible-ish Disclosure

By: Joshua

Joshua — Fri, 09 May 2008 04:09:10 +0000

I agree with what Chris said and Core-Security has done nothing but produced top-notch disclosures in an appropriate manner and looking at the timeline of the issue at hand it was all done professionally.

Here is my perspective and I wont use the line on how I worked with 10+ vendors. (Note: I used perspective, take it or leave it)

1. At least Core-Security notified the vendor and found the issue,It could have been worse if an attacker found the issue and was never reported at all.

2. It’s not Core-Securitys fault that Wonderware failed to do any form of quality assurance or code analysis with a focus around security on its product.

3. End-users or anyone using a product has the right to know if they a vulnerable or a vulnerability resides and this includes weather a patch has been released or the advisory has been done in a certain period of time.. including the amount of information disclosed. Why? well I want to know and be able to make the decision weather or not I want to keep it deployed in my environment or take it out till a patch is actually out. This is all on the basis of severity and risk. If I was Core I might have released earlier.

4. I’ve seen less professional and worse cases of vulnerabilities and exploit disclosure then this issue, when someone drops the bomb on a issue discovered in Windows it’s a huge impact. I don’t hear anyone bashing the user disclosing those. I wonder what the real issue is at hand with Liquidmatrix? Nobody is holding anyones leg here and maybe his brain ran away in the night.

By: Marcin

Marcin — Fri, 09 May 2008 01:45:55 +0000

Should exploit code even be released? Besides researcher ego and script kiddies, who benefits from PoC exploit release? Is it to prove a point? If details of the vulnerability are released full-disclosure, that should be more than enough information for people to go out and mitigate the issues. Throwing an exploit PoC into the mix is just adding fuel to the fire.

By: Chris Wysopal

Chris Wysopal — Thu, 08 May 2008 21:19:32 +0000

There is a continuum of information that can be disclosed in a coordinated release when the vendor is also releasing a fix. There is a window of vulnerability between the time of the coordinated release and when a system is patched. Is all information release responsible or are there some things that should wait?

At one end of the spectrum the discloser could release a working exploit. Some would say it’s responsible disclosure because the patch is available. Exploits are released all the time for patched vulnerabilities. But the few days after a new disclosure are particularly sensitive since systems may not be patched yet. Another level of information is the proof of concept which can quickly be turned into an exploit so they are really about the same thing.

Then there is the disclosure that has all the details of the vulnerability down to commented assembler code. Someone can certainly develop an exploit from this if they have the skills. This seems to be what Chris Eng is calling “responsible-ish”. I am not convinced that this level of disclosure is more helpful or hurtful in the short term after a patch is first released.

I have always thought that all information about a vulnerability including working exploits should eventually be released, but with a delay after the initial disclosure to give people some time to patch. We tried this at @stake for a while (just before we were gobbled up by Symantec and all disclosures stopped)*. We would hold the details that would help with writing the exploit for 30 days so people would have time to patch.

In the end it is all compromise and there are always edge cases but for the majority of flaws a delay on details would help more than hurt security.

-Chris

*To be fair they started up after about a year.