Thursday, July 9, 2009

This is Why "Responsible Disclosure" is a Joke.

Windows Internet ExplorerImage via Wikipedia
Responsible Disclosure:
Responsible disclosure is a term concerning the subject of computer security. It is like full disclosure, with the addition that all stakeholders agree on a period of time to wait before patching the security vulnerability and publish the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding those fact could suggest a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and prevent any future damage. Corresponding to the impact of the vulnerability it may require a period between a few weeks and several months. It is easier to patch software by using the internet as distribution channel. [1]
Full Disclosure:

Full disclosure requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. Fixes are produced faster because vendors and authors are forced to respond in order to save face. Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.

In the realm of computer vulnerabilities, disclosure is often achieved via mailing lists such as Bugtraq and full disclosure by other means. [2]
Microsoft requires "responsible disclosure" in order for security experts to get any credit for discovering vulnerabilities. I put the phrase in quotes because, based on the definition above, RD has an agreed upon time limit, but while Microsoft calls their process RD, the company doesn't commit to any time frame and generally holds the secret until a patch is released. , decided to disclose the vulnerability to the public, and been denied credit from MS because of the disclosure.

Now, it appears that the awful Internet Explorer / Windows XP (or Server 2003) exploit was known to MS since at least December, 2007. We'll never know exactly how long because the report (CVE-2008-0015) is protected by a non-disclosure agreement.

Attacks have been going on for at least a month (who really knows?). There's still no patch and there's no time-frame for one, either. There's a workaround, but no patch.

Disgusting. People have been vulnerable for way too long, and MS knew it. This is why I and many others support full disclosure. Patches are released quickly and users are aware of the danger.


Post a Comment

Other I' Been to Ubuntu Stories