.

Public Disclosure of exploits

<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Thu Jun 10, 2010 2:55 pm

Public Disclosure of exploits

I subscribe to the Microsoft Security Response twitter feed, and they put out an announcement about a newly disclosed exploit in the Windows XP help center.

Disclosure article: http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.html

Microsoft response: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx


The first article at the bottom makes a case for public disclosure.

The Microsoft response wholeheartedly condemns the public disclosure.

So I put it to you: your opinion on public disclosure of new exploits?
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Jun 18, 2010 7:12 am

Re: Public Disclosure of exploits

Most disclosure policies come with pros and cons - which one to choose has everyone to decide for oneself. I have written a short article about disclosure policies for the Hakin9 magazine - my English version of it should be available in the coming issue, if anyone is interested.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jun 18, 2010 10:01 am

Re: Public Disclosure of exploits

yatz wrote:The Microsoft response wholeheartedly condemns the public disclosure.

So I put it to you: your opinion on public disclosure of new exploits?


“We must always think about things, and we must think about things as they are, not as they are said to be.” George Bernard Shaw

Public disclosure has never been in the best interest of any vendor for a lot of reasons. Firstly, it can be quite costly for them to run around and mop up their mess. Secondly, it can be quite embarassing. Thirdly, its almost always more economical for them to play damage control "condemn the researcher" than to do the right thing.

Let's take a theoretical look at what happens when a vulnerability is submitted to a vendor. Using MS as an example since we're speaking of them, let's go through the motions of submitting a bug. 1) Person in MSRC opens message and asks for more information. (n amount of time) 2) Person in MSRC acts to escalate 3) Other individuals on the team take a look at it. 4) Validation slash replication of exploitation takes place. 5) Buggy code in program investigated 6) Buggy code found and fixed 7) Marketing hype downplaying bug is created/generated 8) Patch Tuesday (or better depending on the severity of the bug).

I figure my numbers in man hours here... Let's assume it took 2 months to determine what was going on and I use this number based on the following comment from the Daily Dave mailing list:

http://www.zerodayinitiative.com/advisories/upcoming/
Shows how well that "responsible" disclosure is working out:
ZDI-CAN-357      Microsoft      High    2008-06-25, 720 days ago
ZDI-CAN-527      Microsoft      High    2009-07-14, 336 days ago
ZDI-CAN-533      Microsoft      High    2009-07-23, 327 days ago
ZDI-CAN-543      Microsoft      High    2009-08-06, 313 days ago
ZDI-CAN-599      Microsoft      High    2009-10-20, 239 days ago
What's responsible about letting a vendor sit on a serious vulnerability  for almost two years?


So two months is generous. Let's suppose 12 people took 2 hours per work week on my personal bug. 24 man hours (salary) per week * 8 weeks (2 months). 192 total hours down the tube so far. Now let's assume all these employees average a salary of $75,000.00 per year which is extremely low if you ask me, but I'm trying to be fair and theoretical here. At that salary divided by 52 weeks they'd make an estimated $1,442.31 per week or 36.06 per hour. $4,615.38 to fix this bug? Highly doubtful... That cost is ENORMOUSLY low but I'll roll with it anyway. So we have a loss of $4,615.38 multiplied by how many bugs per year here? At my rock-bottom prices, ZDI disclosed 18 advisories to date for MS which would total $83,076.84 in loss from ZDI alone.

Now be realistic about this, I figure a typical bug to average about $10-20,000.00 in costs to fix and I have read that MS pays to the tune of $1,000,000.00 and up per bug fix in R&D, fixing, pushing out, etc.. So again, if this holds true, my numbers are peanuts (obviously). Let's round things off to 10k per bug found and fixed... Using last year's data (2009):

  Code:
$ wget -qO - http://www.microsoft.com/technet/security/advisory/archive.mspx|awk '/Microsoft Security Advisory \(/ && /2009/'|wc -l
      23


At this rate, (10k per fix) MS just threw out $230,000.00 on bugs alone which is peanuts in comparison to their earning. Now much would you like to bet that the actual number for 2009 was probably 20x more? Remember, my numbers are ONLY based on exploit(ed)able issues. Imagine how much MS spends on investigating issues that don't produce results (false positives). So what do you think works better for companies like MS... Spending some marketing time downplaying security as a whole and security research and the researchers. Or actually providing fixes and or good code.

Business as usual dot dot dot Because businesses are in the business to (*drum roll*) make money, you have to understand the potential economic impact of a security hole being discovered and disclosed. For Microsoft, they're in the business to make money not throw it away so it boils down to damage control. If the bug triggers shaky confidence in Microsoft's stock a one percent drop means MS loses $2,310,540,000.00 at this moment based on its market cap. So you tell me, what would make more sense financially for you if you were in a business manager's shoes?
Last edited by sil on Fri Jun 18, 2010 10:03 am, edited 1 time in total.
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Fri Jun 18, 2010 10:18 am

Re: Public Disclosure of exploits

Nice response sil -

As for me, I totally understand the business impact of patching (and thank you for backing up the numbers).

On the other hand, all that money is cost of doing business and is part of any software company.  Microsoft just happens to be the big name and is the BIG target.

The case for public disclosure seems to just force the issue instead of allowing the company to self-regulate its patching schedule.  I'm sure there's a measure of pride on both sides, but the company is the one that fronts the bill.

I suppose I never really realized this was such a big topic.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jun 18, 2010 10:46 am

Re: Public Disclosure of exploits

yatz wrote:Nice response sil -

As for me, I totally understand the business impact of patching (and thank you for backing up the numbers).

On the other hand, all that money is cost of doing business and is part of any software company.  Microsoft just happens to be the big name and is the BIG target.

The case for public disclosure seems to just force the issue instead of allowing the company to self-regulate its patching schedule.  I'm sure there's a measure of pride on both sides, but the company is the one that fronts the bill.

I suppose I never really realized this was such a big topic.


yatz, I tried to be responsive so that others may understand the numbers ;) I get the impression there are a lot of newcomers and young individuals here who probably aren't aware of many security factors. The entire topic of full-disclosure, responsible disclosure, etc., has been argued for years on end.

My personal fave happens to be Marcus Ranum's responses on this http://www.ranum.com/security/computer_ ... closure-1/ I've always enjoyed and learned his methods of explaining things from an alternative perspective. He also happens to be a really cool guy even though there are times he writes things and I'm tempted to fire off an email and say... WTH.

Please take a quick minute or two to check out his paper. There is a lot of truth in what he says when it comes to security and "the fame"
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Mon Jun 28, 2010 11:09 am

Re: Public Disclosure of exploits

sil wrote:My personal fave happens to be Marcus Ranum's responses on this http://www.ranum.com/security/computer_ ... closure-1/ I've always enjoyed and learned his methods of explaining things from an alternative perspective. He also happens to be a really cool guy even though there are times he writes things and I'm tempted to fire off an email and say... WTH.


I finally got around to reading this and man he makes a lot of sense.  It's kinda what you already imagine is going on, but the way he says it is very direct.  Doesn't sound like he has a lot of love for security researchers.

It would seem to me though that the only ones you hear about are those that fit the category described in the article.  There are probably others out there that you don't hear about that really are in it for benefit.  If there wasn't, open-source wouldn't be as popular.  :)
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

JollyJokker

Post Tue Jun 29, 2010 2:28 am

Re: Public Disclosure of exploits

Personally, I am mostly against public disclosure. As sil's link by Ranum pointed, I strongly believe that fame and marketing are the motives behind public disclosure. I just could never agree that the so-called "benefits" of it can really be that beneficial.

In general though, I am not involved in exploitation (not yet, dunno what may happen later) and probably this is why I see things from this perspective.
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Tue Jun 29, 2010 8:55 am

Re: Public Disclosure of exploits

Here is another post about the stuff that re-ignited this debate:

http://vrt-sourcefire.blogspot.com/2010 ... faith.html

I use the public disclosed information a fair amount, especially with POC.  It's even more valuable if there are things in the wild as I've written a number of custom rules based on the disclosure that protect me in some cases better than what AV already does or in many many cases, what AV says it does.  Without some of this information, it's difficult to tell how protected you really are.

There are lots of positives and negatives to both sides of this debate, but for me, I hope that the bad guys are not the only ones looking for bugs.  The question really lies in, how does one disclose something "responsibly" when the vendor says it's not a problem.  If you knew about it, and then someone else comes out with a 0day, were you responsible or irresponsible for not letting people know ahead of time how to be protected ?
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

JollyJokker

Post Fri Jul 02, 2010 5:56 am

Re: Public Disclosure of exploits

The new Hakin9 issue (July) has an article regarding disclosure and the whole debate thing.

The new issue can be downloaded from:
http://hakin9.org/magazine/1255-securing-voip
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Fri Jul 02, 2010 8:16 am

Re: Public Disclosure of exploits

Hordakk wrote:The new Hakin9 issue (July) has an article regarding disclosure and the whole debate thing.

The new issue can be downloaded from:
http://hakin9.org/magazine/1255-securing-voip



(BTW, that's awesec's article)
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH

Return to Opinions

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software