WatchGuard Wire
Improve Your Security IQ
A plea for an end to Months of Irresponsible Disclosure
These "Month of [Something] Bug" projects are getting out of hand.
In 2006, researchers such as HD Moore and LMH have initiated projects that
announce one new security bug a day for an entire month. Each bug released
for that month relates to a specific type of program or operating system component.
For example, Moore kicked off this concept with the Month
of Browser Bugs (MoBB) and LMH followed up with the Month
of Kernel Bugs (MoKB). More recently, Cesar Cerrudo announced a similar
project he called
the Week
of Oracle Database Bugs (WoODB), which he later cancelled for
reasons he did not share (many speculate that Oracle pressured him).
A few days ago,
Kevin Finisterre announced that he will make January 2007 the Month
of Apple Bugs (MoAB). Finisterre and the team
responsible for Month of Kernel Bugs intends on releasing an Apple-related security
bug every day. According to these researchers, they hope to dispel the perception
that Apple doesn't suffer from the security vulnerabilities that Windows does.
Finisterre has also announced his intent to announce bugs that Apple is unaware
of.
Are these bug-a-day revelations helpful to Internet security, or harmful?
During the initial Month of Browser Bugs I gave Moore's project the benefit
of the doubt, even though he intended to disclose vulnerabilities without first
informing the flaw's vendor. After all, Moore's done a lot for the security
community (Metasploit rocks)
and I respect him. However, I am finding it harder to see any
redeeming qualities in these types of projects. How does it help Apple users
when Finisterre announces a bunch of vulnerabilities without
first giving Apple time to patch them? Finisterre might argue that the
pressure this creates will force Apple to patch sooner. But how does he know
Apple wouldn't have patched the flaws quickly if he told Apple about them in
the first place? Meanwhile, poor Apple users are left hoping that evil hackers
don't use these now public flaws against them.
I think responsible Full Disclosure is good. Apple
users probably do need a security wake-up call, and need to stop relying on
the obscurity of their operating system. Publicly releasing all of
the information about a security vulnerability, including possible exploit
code, helps the programming community understand their mistakes and build more
secure code. It also helps administrators gauge the risk presented by vulnerabilities
so an admin can prioritize fixes. However, the "responsible" part
means the researcher should inform the vendor of the flaw, and give them time
to patch, before disclosing it publicly. It's just common sense to us "white
hats."
These Month of Bug projects promote irresponsible security vulnerability
disclosure. The cynic in me is beginning
to feel that these researchers are acting more for their own recognition
than for the good of the public.
Regardless of what I think, unless Finisterre decides to cancel MoAB as Cerrudo
did the WoODB, Apple administrators should expect their New Year to begin with
a busy and nerve wracking January. --
Corey Nachreiner, CISSP
| 
