Public Disclosure of exploits

Viewing 9 reply threads
  • Author
    Posts
    • #5182
      yatz
      Participant

      I subscribe to the Microsoft Security Response twitter feed, and they put out an announcement about a newly disclosed exploit in the Windows XP help center.

      Disclosure article: http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.html

      Microsoft response: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx

      The first article at the bottom makes a case for public disclosure.

      The Microsoft response wholeheartedly condemns the public disclosure.

      So I put it to you: your opinion on public disclosure of new exploits?

    • #32817
      UNIX
      Participant

      Most disclosure policies come with pros and cons – which one to choose has everyone to decide for oneself. I have written a short article about disclosure policies for the Hakin9 magazine – my English version of it should be available in the coming issue, if anyone is interested.

    • #32818
      sil
      Participant

      @yatz wrote:

      The Microsoft response wholeheartedly condemns the public disclosure.

      So I put it to you: your opinion on public disclosure of new exploits?

      “We must always think about things, and we must think about things as they are, not as they are said to be.” George Bernard Shaw

      Public disclosure has never been in the best interest of any vendor for a lot of reasons. Firstly, it can be quite costly for them to run around and mop up their mess. Secondly, it can be quite embarassing. Thirdly, its almost always more economical for them to play damage control “condemn the researcher” than to do the right thing.

      Let’s take a theoretical look at what happens when a vulnerability is submitted to a vendor. Using MS as an example since we’re speaking of them, let’s go through the motions of submitting a bug. 1) Person in MSRC opens message and asks for more information. (n amount of time) 2) Person in MSRC acts to escalate 3) Other individuals on the team take a look at it. 4) Validation slash replication of exploitation takes place. 5) Buggy code in program investigated 6) Buggy code found and fixed 7) Marketing hype downplaying bug is created/generated 8) Patch Tuesday (or better depending on the severity of the bug).

      I figure my numbers in man hours here… Let’s assume it took 2 months to determine what was going on and I use this number based on the following comment from the Daily Dave mailing list:

      http://www.zerodayinitiative.com/advisories/upcoming/
      Shows how well that “responsible” disclosure is working out:
      ZDI-CAN-357      Microsoft      High    2008-06-25, 720 days ago
      ZDI-CAN-527      Microsoft      High    2009-07-14, 336 days ago
      ZDI-CAN-533      Microsoft      High    2009-07-23, 327 days ago
      ZDI-CAN-543      Microsoft      High    2009-08-06, 313 days ago
      ZDI-CAN-599      Microsoft      High    2009-10-20, 239 days ago
      What’s responsible about letting a vendor sit on a serious vulnerability  for almost two years?

      So two months is generous. Let’s suppose 12 people took 2 hours per work week on my personal bug. 24 man hours (salary) per week * 8 weeks (2 months). 192 total hours down the tube so far. Now let’s assume all these employees average a salary of $75,000.00 per year which is extremely low if you ask me, but I’m trying to be fair and theoretical here. At that salary divided by 52 weeks they’d make an estimated $1,442.31 per week or 36.06 per hour. $4,615.38 to fix this bug? Highly doubtful… That cost is ENORMOUSLY low but I’ll roll with it anyway. So we have a loss of $4,615.38 multiplied by how many bugs per year here? At my rock-bottom prices, ZDI disclosed 18 advisories to date for MS which would total $83,076.84 in loss from ZDI alone.

      Now be realistic about this, I figure a typical bug to average about $10-20,000.00 in costs to fix and I have read that MS pays to the tune of $1,000,000.00 and up per bug fix in R&D, fixing, pushing out, etc.. So again, if this holds true, my numbers are peanuts (obviously). Let’s round things off to 10k per bug found and fixed… Using last year’s data (2009):

      $ wget -qO - http://www.microsoft.com/technet/security/advisory/archive.mspx|awk '/Microsoft Security Advisory (/ && /2009/'|wc -l
           23

      At this rate, (10k per fix) MS just threw out $230,000.00 on bugs alone which is peanuts in comparison to their earning. Now much would you like to bet that the actual number for 2009 was probably 20x more? Remember, my numbers are ONLY based on exploit(ed)able issues. Imagine how much MS spends on investigating issues that don’t produce results (false positives). So what do you think works better for companies like MS… Spending some marketing time downplaying security as a whole and security research and the researchers. Or actually providing fixes and or good code.

      Business as usual dot dot dot Because businesses are in the business to (*drum roll*) make money, you have to understand the potential economic impact of a security hole being discovered and disclosed. For Microsoft, they’re in the business to make money not throw it away so it boils down to damage control. If the bug triggers shaky confidence in Microsoft’s stock a one percent drop means MS loses $2,310,540,000.00 at this moment based on its market cap. So you tell me, what would make more sense financially for you if you were in a business manager’s shoes?

    • #32819
      yatz
      Participant

      Nice response sil –

      As for me, I totally understand the business impact of patching (and thank you for backing up the numbers).

      On the other hand, all that money is cost of doing business and is part of any software company.  Microsoft just happens to be the big name and is the BIG target.

      The case for public disclosure seems to just force the issue instead of allowing the company to self-regulate its patching schedule.  I’m sure there’s a measure of pride on both sides, but the company is the one that fronts the bill.

      I suppose I never really realized this was such a big topic.

    • #32820
      sil
      Participant

      @yatz wrote:

      Nice response sil –

      As for me, I totally understand the business impact of patching (and thank you for backing up the numbers).

      On the other hand, all that money is cost of doing business and is part of any software company.  Microsoft just happens to be the big name and is the BIG target.

      The case for public disclosure seems to just force the issue instead of allowing the company to self-regulate its patching schedule.  I’m sure there’s a measure of pride on both sides, but the company is the one that fronts the bill.

      I suppose I never really realized this was such a big topic.

      yatz, I tried to be responsive so that others may understand the numbers 😉 I get the impression there are a lot of newcomers and young individuals here who probably aren’t aware of many security factors. The entire topic of full-disclosure, responsible disclosure, etc., has been argued for years on end.

      My personal fave happens to be Marcus Ranum’s responses on this http://www.ranum.com/security/computer_security/editorials/disclosure-1/ I’ve always enjoyed and learned his methods of explaining things from an alternative perspective. He also happens to be a really cool guy even though there are times he writes things and I’m tempted to fire off an email and say… WTH.

      Please take a quick minute or two to check out his paper. There is a lot of truth in what he says when it comes to security and “the fame”

    • #32821
      yatz
      Participant

      @sil wrote:

      My personal fave happens to be Marcus Ranum’s responses on this http://www.ranum.com/security/computer_security/editorials/disclosure-1/ I’ve always enjoyed and learned his methods of explaining things from an alternative perspective. He also happens to be a really cool guy even though there are times he writes things and I’m tempted to fire off an email and say… WTH.

      I finally got around to reading this and man he makes a lot of sense.  It’s kinda what you already imagine is going on, but the way he says it is very direct.  Doesn’t sound like he has a lot of love for security researchers.

      It would seem to me though that the only ones you hear about are those that fit the category described in the article.  There are probably others out there that you don’t hear about that really are in it for benefit.  If there wasn’t, open-source wouldn’t be as popular.  🙂

    • #32822
      Anonymous
      Participant

      Personally, I am mostly against public disclosure. As sil’s link by Ranum pointed, I strongly believe that fame and marketing are the motives behind public disclosure. I just could never agree that the so-called “benefits” of it can really be that beneficial.

      In general though, I am not involved in exploitation (not yet, dunno what may happen later) and probably this is why I see things from this perspective.

    • #32823
      apollo
      Participant

      Here is another post about the stuff that re-ignited this debate:

      http://vrt-sourcefire.blogspot.com/2010/06/defenders-of-faith.html

      I use the public disclosed information a fair amount, especially with POC.  It’s even more valuable if there are things in the wild as I’ve written a number of custom rules based on the disclosure that protect me in some cases better than what AV already does or in many many cases, what AV says it does.  Without some of this information, it’s difficult to tell how protected you really are.

      There are lots of positives and negatives to both sides of this debate, but for me, I hope that the bad guys are not the only ones looking for bugs.  The question really lies in, how does one disclose something “responsibly” when the vendor says it’s not a problem.  If you knew about it, and then someone else comes out with a 0day, were you responsible or irresponsible for not letting people know ahead of time how to be protected ?

    • #32824
      Anonymous
      Participant

      The new Hakin9 issue (July) has an article regarding disclosure and the whole debate thing.

      The new issue can be downloaded from:
      http://hakin9.org/magazine/1255-securing-voip

    • #32825
      yatz
      Participant

      @Hordakk wrote:

      The new Hakin9 issue (July) has an article regarding disclosure and the whole debate thing.

      The new issue can be downloaded from:
      http://hakin9.org/magazine/1255-securing-voip

      (BTW, that’s awesec’s article)

Viewing 9 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?