Partially disclosing vulnerabilities does no one any good
- 30 September, 2008 12:00
What if I was to tell you that I have a secret that could end the Internet as you know it? What if I was only going to tell you at a fee-based conference once speculation had gone on for a month or more? How would you respond to that?
If what I held ended up to be nothing, then it was nothing more than a waste of everyone's time and effort and I appear to have conned you out of some money.
If what I held actually was something, then it could almost be considered information blackmail - holding critical information hostage and refusing to tell anyone any details beyond initial scaremongering until some arbitrary set of conditions had been met.
Whatever the outcome, you are sure to be more reluctant to listen to my pronouncements in the future.
Unfortunately, for some strange reason, it seems that a number of Information Security experts have decided upon this course of action when alerting people to a problem that they have discovered. At the moment, the approach seems to be having the results that the researchers are intending - to raise awareness that a problem exists, so that when the information is finally released people are ready to do something about it. Whether more people actually end up doing something or not is another problem.
Through repeated quasi-disclosures, the Information Security industry faces the risk of becoming the boy who cried wolf. If this pattern of hype-disclosure continues for long enough, eventually new announcements are going to be completely ignored by the wider market. Enterprising attackers will always be on the lookout for new weaknesses to target, so it could be argued that hinting at a vulnerability is actually going to cause more harm than good to the end user.
Those who are cynically minded would also argue that the discoverer is only highlighting their discovery to try and sell you something, which conveniently is either a magic bullet that stops attacks against the vulnerability cold or a service that would have identified your vulnerability to it long before it was made semi-public. Unfortunately this is becoming all too-common, especially when disclosure happens via press release from an Information Security vendor.
Dan Kaminsky's DNS flaw that he (re)discovered was a real problem (given the number of vendors that were vulnerable), but how the disclosure was handled left many disappointed. Other vendors seem to be treading the same path, with the latest in the range of speculative announcements being the normally reliable GNUCITIZEN group, who have alerted to a supposedly new technique that is claimed to lead to universal website hijacking.
But, based on the information published, it isn't as bad as the initial claim seems to make out. It is a vulnerability, or set of vulnerabilities, that has been found with devices that are (currently believed to be Web Application Firewalls [WAF]) placed between a site and the rest of the internet. It is like saying that because a commonly used antivirus suite has some critical vulnerabilities (which most already do), that everyone's computer can be compromised and the end of the world is nigh. Come October 30, the details are to be released at a fee-based conference, but since the vulnerability details were sold to a vulnerability trader, the details of the vulnerability may not even be made public at that time.
When vendors move to close down a talk, it is somewhat different. Jeremiah Grossman and Robert "RSnake" Hansen were to speak on "ClickJacking" at a recent security conference, but vendor requests led to the cancellation of the talk. We are going to have to wait until the vendors involved are able to release patches to address the suppressed issue, but early estimates, based on the limited information that has been made public so far, is that it is a reappearance of a previously discovered, but not widely known, issue. Claims are that it dates from at least 2002, but the description of the vulnerability makes it sound like something that beginning web developers could stumble across when learning object placement on web pages, so it could be even older.
At the least, the severity of the issue seems to have caught the rediscoverers completely by surprise. RSnake even acknowledges that how the issue is being handled, as far as partial disclosure goes, is drawing parallels to many previous cases and it still could end up being messy for them.
What is happening is not Full Disclosure, rather it is disclosure up to the point where you can leverage attention to you and your company (and possibly a financial result). It is debatable as to whether it is even Responsible Disclosure.
The whole partial disclosure trend may be considered an unavoidable result of the commercialisation of Information Security and so it will be something that isn't going to go away and we'll have to learn to manage information released through such processes like we already do for other disclosure practices.