LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Firefox buffer overflow and full disclosure

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 15:22 UTC (Fri) by gerv (subscriber, #3376)
In reply to: Firefox buffer overflow and full disclosure by RobSeace
Parent article: Firefox buffer overflow and full disclosure

They are under absolutely NO obligation to treat the developers with any level of deference, or to cut them any slack in getting a patch together before going public, or even to notify them personally ahead of time at all!
Perhaps not; but they are under a moral obligation to the users of the product not to expose them to unnecessary risk. And that means responsible disclosure.

(Log in to post comments)

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 16:46 UTC (Fri) by RobSeace (subscriber, #4435) [Link]

No, they most certainly are NOT under any obligation to the users of the
software, any more than to the developers of it... Moral, or otherwise...

Besides which, publically releasing the details of the flaw they discovered
is benefiting and protecting the users, NOT exposing them to any kind of
risk... They WERE previously at risk for who-knows-how-long, because they
were using buggy, exploitable software; but, NOW, they've been informed of
the problems with it, and can take action to protect themselves... Therefore,
they are at much LESS risk than they were before the public disclosure!
It's really quite simple... You seem to be laboring under the delusion
that the security hole doesn't exist until it has been publically disclosed...
If that were true, then the "responsible disclosure" people might actually
have a valid point... But, it's not true in any way, shape, or form...
They don't CREATE these security holes merely by discovering their existence...
The holes were pre-existing, and it wouldn't be "responsible" or "moral" to
keep knowledge of their existence private, after they have been discovered...
In fact, it would be extremely dangerous and INCREASE users' risk, unless
you kept it completely to yourself, and you were honorable enough to never
take advantage of the security hole yourself... If you tell ANYONE about
it (even just the developers), you increase users' risk, unless you also
tell all of the users at the same time... Because, you can't vouch for
the ethics of everyone you tell (or everyone they tell, or everyone THEY
tell, or etc.)... Once you tell another living soul, the cat is out of
the bag, and you have to consider the exploit "in the wild", basically...
And, failing to inform the users in that case, and leaving them vulnerable
to being exploited by the hole all that time, is what is truly "irresponsible"
and "immoral"...

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 21:20 UTC (Fri) by gerv (subscriber, #3376) [Link]

publically releasing the details of the flaw they discovered is benefiting and protecting the users, NOT exposing them to any kind of risk...
That's clearly not true. The more black hats know about the flaw, the more at risk users are. Claiming that releasing details while there's no patch available does not expose users to any extra risk at all is a ridiculous position, not even generally held by advocates of immediate disclosure (who normally say: "Yes, there's an extra risk, but it's worth it to kick the vendor into action"). In a few types of flaw, users can take action to protect themselves, but normally they are at the mercy of the vendor to provide a patch. So revealing the information to the user does not benefit them at all, because they are in exactly the same position as previously - waiting for their vendor. Except now there are more people who know how to attack them.
You seem to be laboring under the delusion that the security hole doesn't exist until it has been publically disclosed...
I don't think my comments say that at all. I am merely making the point that the risk associated with a hole is equal to the severity of the problem multiplied by the number of people with evil intent who know about it. There are probably 100 holes in [pick-a-product-name] right now which are zero risk, because 0 people know about them - they haven't been discovered by anyone yet. Again, in a limited number of cases, a hole has to be revealed when there's no patch because either the vendor is uncooperative or has made it clear they aren't going to produce a fix. But neither of those things was true in this case.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:05 UTC (Fri) by RobSeace (subscriber, #4435) [Link]

> The more black hats know about the flaw, the more at risk users are.

Only if the users remain ignorant of it, as well... Using analogies for
stuff like this never works well, but: every "black hat" on the planet
knows about the flaw inherent in windows (the glass kind, not the OS):
namely, that they're easy to break, and thereby can provide unintended
access to a house/car/whatever... However, every "user" of windows also
knows about that flaw, and chooses to either live with the risk, or
invest in better protection (barred windows, security system, whatever)
if they need it... But, suppose the "users" didn't know about this, and
believed windows to be utterly impenetrable and perfectly safe... Do you
think these ignorant users are somehow safer in their ignorance than the
informed users?? Even if less "black hats" know about the flaw, the fact
is they are at risk from those few that do (and any future ones who figure
it out on their own, as "black hats" are wont to do)... And, in their
ignorance, they may be exposing highly sensitive and important stuff that
they dearly wish to protect, and think they ARE protecting via the use of
what they think are impenetrable windows... Compared to the real informed
"users", who know better than to rely on windows to protect anything
important... So, tell me again, how keeping users ignorant protects them,
or is somehow for their own good??

> In a few types of flaw, users can take action to protect themselves, but
> normally they are at the mercy of the vendor to provide a patch.

That's just not true... Users can ALWAYS take some action to protect
themselves: stop using the vulnerable product until it's fixed! Yes, that
may be a dramatic and unrealistic choice for many users in many cases, but
the fact is that it IS an option, and all users deserve to be informed of
the problem so they can exercise that option if they choose to... But,
there are usually much less drastic options users can take, as well... Such
as firewalling off ports (assuming network attack), or tweaking config
settings to disable the buggy feature (such as in this Firefox IDN case),
etc... No one is "at the mercy of" any vendor, to that extent... They
always have some choice in the matter... But, keeping them ignorant robs
them of that choice, and leaves them vulnerable...

To use another unworkable analogy: if Consumer Reports learned of a flaw
in all Ford cars, whereby someone could easily unlock the doors by tapping
them in just the right spot (or something similar), would you rather they
quietly just tell Ford about it and wait for them to take months/years to
do anything about it, or would you rather know about it yourself, so you
can replace the locks on your Ford your own damn self?? I think being
informed is ALWAYS a good thing, and being kept ignorant is NEVER a good
thing, no matter what the situation or scenario... So, I can't fathom how
people buy into this "responsible disclosure" nonsense, that basically says
"Yes, please, keep me entirely in the dark about the gaping security holes
in the software I'm using, while my software vendor takes their sweet time
to twiddle their thumbs and maybe throw together a patch, all the while
leaving me vulnerable to this now increasingly well-known exploit, which
who-knows-how-many people now know about!"... THAT, is what I call being
"at the mercy of the vendor" (and, all of the countless people they and
the original bug-reporter have informed, either directly or indirectly)...
And, it's NOT something I want to be...

> There are probably 100 holes in [pick-a-product-name] right now which are
> zero risk, because 0 people know about them - they haven't been
> discovered by anyone yet.

Yeah, sure, if literally NO ONE has discovered them, then yes there is zero
risk... But, in the scenarios we are discussing, that is NOT the case...
At least ONE person has discovered them, already... And, he's probably
told the vendor, which in turns means probably more than one developer
there has been informed of it... And, any of them may offhandedly tell a
friend or two about it... And, so on...

Not to mention the fact that you never KNOW whether or not anyone else
might have already previously discovered any given hole, and simply haven't
told anyone about it, because they'd rather keep it their own little
secret weapon...

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:29 UTC (Fri) by gerv (subscriber, #3376) [Link]

To use another unworkable analogy: if Consumer Reports learned of a flaw in all Ford cars, whereby someone could easily unlock the doors by tapping them in just the right spot (or something similar), would you rather they quietly just tell Ford about it and wait for them to take months/years to do anything about it, or would you rather know about it yourself, so you can replace the locks on your Ford your own damn self??
I'd tell Ford: "You have two weeks to make sure all of your dealerships around the world have a decent stock of replacement locks. Then I'm going public." Which is the exact equivalent of responsible disclosure.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:49 UTC (Fri) by RobSeace (subscriber, #4435) [Link]

But, why is that more "responsible" than immediately going public? (Which,
I believe, is what Consumer Reports usually actually does...) And, why
two weeks? Who made up that number, and deemed it to be the "responsible"
time-frame? What if the vendor really can't possibly get a fix out in
less than 6 months? Is it "responsible" to inform the public 5.5 months
early? If so, then why exactly wasn't it to do so 2 weeks earlier than
that?? (It's clearly NOT "responsible" to cave to the vendor, and sit
on the issue for 6 months... But, what I'm curious about is what is it
that distinguishes the 2 weeks from the 6 months for you?? In this day
and age, can't 2 weeks of being vulnerable to a known security hole be
just as dangerous as 6 months? So, why not simply inform the users right
from the start, so they can protect themselves until the vendor takes
however long it needs to to fix the issue?)

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 0:38 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

I'd be interested to know what Consumer Reports' policy on this is. I'm not sure it has ever faced the situation. I know Consumer Reports doesn't give any advance warning to manufacturers of defects and other weaknesses in their products that CR intends to publicize, but that's a statement about CR not owing the manufacturer anything. Are these ever defects where some consumers would be hurt just by the publication? Like the Ford lock analogy?

I read all the time about journalists withholding information for the public good, and I suspect Consumer Reports really would withhold that Ford lock story until Ford had plenty of time to mitigate the problem.

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 15:35 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

> Are these ever defects where some consumers would be hurt just by the
> publication?

Once again, I don't buy that the "publication" would be responsible for
anyone getting "hurt"... The flaw already exists; merely remaining silent
about it doesn't change the fact... In fact, as I've stated, remaining
only 'partially' silent (ie: informing the vendor, and thereby indirectly
who-knows-how-many people, whose morals and ethics you know nothing about)
is definitely worse... Remaining COMPLETELY silent (as in telling NO ONE
at all, and not using the info yourself) is safe enough, for now... Until
someone else comes along and discovers the same flaw... (If one person can
find it, so can another... In fact, in all likelihood, the chances are good
that someone else has previously already discovered the flaw, and simply
haven't told anyone yet...) So, the only rational course that I can see is
to inform the public at large, so they can protect themselves...

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 22:29 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

I don't buy that the "publication" would be responsible for anyone getting "hurt"

I assume "responsible" is the key word here. I think it's obvious that many people would have their cars broken into if the flaw became common knowledge early who would not have their cars broken into if Ford had time to prepare before it became common knowledge. It's equally clear that there are many people in the opposite situation -- they would avoid the breakin by having the flaw become common knowledge earlier.

So I assume you're just saying that spreading the word isn't responsible for any breakins, even though it is obviously a contributing cause. Like the idea that if you leave a pair of glasses on the floor and someone steps on them, the stepper is not responsible for the damage.

There are plenty of people who would argue either side of the responsibility question. I still believe in the Consumer Reports analogy, CR would assume responsibility and not publish immediately. It seems to be the prevalent view in journalism, and especially among social good organizations like Consumer's Union (publisher of CR).

Firefox buffer overflow and full disclosure

Posted Sep 18, 2005 15:40 UTC (Sun) by RobSeace (subscriber, #4435) [Link]

> So I assume you're just saying that spreading the word isn't responsible
> for any breakins, even though it is obviously a contributing cause. Like
> the idea that if you leave a pair of glasses on the floor and someone steps
> on them, the stepper is not responsible for the damage.

Well, more in the way that someone who informs you the building is on
fire isn't responsible for setting it... Instead, he's warning you of it,
so you can take action to protect yourself... Or, I suppose a more apt
analogy would be one who notices that the room where everyone gathers to
smoke is actually filled with barrels of gas and boxes of dynamite, which
no one else has ever spotted before... Should he quietly tell management,
so they can silently remove the dangerous items, or should he warn the
smokers so they don't accidentally blow themselves up?? Even if it does
mean that a malicious smoker among them might use the opportunity to blow
up the building just because he hates the place, or something...

> CR would assume responsibility and not publish immediately.

I'm not so sure that's correct... I don't really know for sure, but I
actually suspect they would be more concerned with informing the public
ASAP, since that basically seems to be their core mission... *shrug*

But, regardless of what they would really do, I certainly don't think it
would be "irresponsible" or "immoral" of them to inform the public ASAP...
Nor, do I see any increased "responsibility"/"morality" in any orgination
that would keep the info secret from the public for any length of time...
I can see how they might be trying to do good and protect people, but I
really think they'd be deluding themselves, because being informed is
always the best way of protecting oneself, and will always be far better
than being kept ignorant while those-who-think-they-know-better-than-you
decide your fate...

Firefox buffer overflow and full disclosure

Posted Oct 10, 2005 1:47 UTC (Mon) by turpie (guest, #5219) [Link]

That's a very poor analogy. Such a fire hazard could result in legitimate users accidently creating a life threatening disaster. Hardly similar to a security bug in a web browser.

Most users would be unable to create their own patches to fix a security hole, and unlikely to want to go to the hassle of swapping to another program if their preferred choice of program is likely to be fixed in a couple of days. I believe developers should be notified of the bug and told that they would have no more than 14 days to fix the problem before it is made public. The developers would then have time to fix or workaround the bug, test and release an update before the blackhats were informed. If the developers didn't respond in time then that fact should be a part the security disclosure so the users may be better informed and can then change their software preferences.

Relation between disclosure and risk

Posted Sep 17, 2005 3:08 UTC (Sat) by vonbrand (subscriber, #4458) [Link]

It is not so simple... The risk is a growing function of how many black hats know about the problem. So, the disclosure increases risk, as black hats as a whole are rather secretive about their exploits. On the other hand, knowing about the risk helps taking countermeasures, so decreases risk. It simply isn't clear which of the two tendencies wins out. I'd wager that most users just rely on the "automatic upgrade" of their software, so public disclosure (somewhat) synchronized with the patch release schedule of the vendors should minimize risk.

Relation between disclosure and risk

Posted Sep 17, 2005 15:39 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

Sure, most users are lazy/ignorant, and may not do anything to protect
themselves even when informed... But, does that mean those of us who are
NOT lazy and ignorant, and who are willing to take whatever measures
necessary to protect ourselves should be kept in the dark, and put at
increased risk, simply to protect the lazy and ignorant users?? I'm sorry,
but I don't accept that... I think everyone should be given the chance
to protect themselves, and if they fail to take it, well that's their own
choice...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds