Cutting Through the Spin of Recent Vulnerability Disclosures

The FUD surrounding the ClickJacking and TCP/IP vulnerabilities has the world seemingly frozen in fear. But once you cut through the spin, the vulnerabilities aren't all that they were made out to be.

There are a few highly publicised vulnerabilities at the moment which haven't completely been disclosed and which, it is claimed, could threaten the whole Internet as-we-know-it. Only, when the vulnerabilities are finally disclosed, it seems that the whole incident has been somewhat Chicken Little.

There is growing concern that the self publicity and public grandstanding is beginning to hurt the whole idea of open disclosure and mature handling of vulnerabilities. Disclosing at a conference might help the conference organisers and be seen as a publicity boost to the presenter / discoverer, but are we to expect the average Information Security practitioner to attend every Information Security conference on the off chance that a self-aggrandiser will be presenting information on a vulnerability that may or may not actually be relevant?

Setting aside the venue for disclosure, the actual content of the vulnerabilities that have been disclosed via partial disclosure in recent months has not been enough to support the idea that partial disclosure is what we're going to have to get used to. This is especially the case once the hype circuit has been allowed to build up to the point that it seems the world is going to end if we all don't suddenly run out and fix the problem that has no public solution and no public definition.

If "ClickJacking" and Daminsky's DNS flaw are anything to go by, the idea that not disclosing is going to hide anything from the "bad guys" falls flat on its face. The same can be said of the TCP Denial of Service and Web application appliance vulnerabilities that are also being bandied about at the moment. What the discoverers tried (and are trying) to hide was quickly worked out by others who publicly speculated on open mailing lists, and enough information was leaked in the partial disclosures and online demonstrations (where they were provided) to give enough to go on for suitably skilled "bad guys" to find and target. Unfortunately, the baseline skill level required to find the vulnerability isn't high enough to effectively claim that the partial-disclosure works. Fortunately, there are plenty of script kiddies out there who are too lazy and unskilled to be able to find it on their own, but it only takes one who can in order for the approach to fail.

One of the most respected voices in Information Security, Fyodor, has singled out the recent TCP Denial of Service non-disclosure for special attention, using it to voice his displeasure at the increasing use of the non-Disclosure as a means of disclosing vulnerability data. Fyodor's opinion on partial disclosure is simply stated as "put up or shut up!".

Looking at the TCP Denial of Service vulnerability that has only partially been disclosed (Full Disclosure promised, later this month, at a Security Conference), Fyodor's assessment (and that of others) is that it has all been seen and done before - mostly by people who then didn't run around claiming the world was going to end. Fyodor steps through and explains how his particular take on the vulnerability (at least how he sees it) works and how it achieved the same goals.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags clickjackingTCP/IP

Show Comments