LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Firefox buffer overflow and full disclosure

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:49 UTC (Fri) by RobSeace (subscriber, #4435)
In reply to: Firefox buffer overflow and full disclosure by gerv
Parent article: Firefox buffer overflow and full disclosure

But, why is that more "responsible" than immediately going public? (Which,
I believe, is what Consumer Reports usually actually does...) And, why
two weeks? Who made up that number, and deemed it to be the "responsible"
time-frame? What if the vendor really can't possibly get a fix out in
less than 6 months? Is it "responsible" to inform the public 5.5 months
early? If so, then why exactly wasn't it to do so 2 weeks earlier than
that?? (It's clearly NOT "responsible" to cave to the vendor, and sit
on the issue for 6 months... But, what I'm curious about is what is it
that distinguishes the 2 weeks from the 6 months for you?? In this day
and age, can't 2 weeks of being vulnerable to a known security hole be
just as dangerous as 6 months? So, why not simply inform the users right
from the start, so they can protect themselves until the vendor takes
however long it needs to to fix the issue?)

(Log in to post comments)

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 0:38 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

I'd be interested to know what Consumer Reports' policy on this is. I'm not sure it has ever faced the situation. I know Consumer Reports doesn't give any advance warning to manufacturers of defects and other weaknesses in their products that CR intends to publicize, but that's a statement about CR not owing the manufacturer anything. Are these ever defects where some consumers would be hurt just by the publication? Like the Ford lock analogy?

I read all the time about journalists withholding information for the public good, and I suspect Consumer Reports really would withhold that Ford lock story until Ford had plenty of time to mitigate the problem.

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 15:35 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

> Are these ever defects where some consumers would be hurt just by the
> publication?

Once again, I don't buy that the "publication" would be responsible for
anyone getting "hurt"... The flaw already exists; merely remaining silent
about it doesn't change the fact... In fact, as I've stated, remaining
only 'partially' silent (ie: informing the vendor, and thereby indirectly
who-knows-how-many people, whose morals and ethics you know nothing about)
is definitely worse... Remaining COMPLETELY silent (as in telling NO ONE
at all, and not using the info yourself) is safe enough, for now... Until
someone else comes along and discovers the same flaw... (If one person can
find it, so can another... In fact, in all likelihood, the chances are good
that someone else has previously already discovered the flaw, and simply
haven't told anyone yet...) So, the only rational course that I can see is
to inform the public at large, so they can protect themselves...

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 22:29 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

I don't buy that the "publication" would be responsible for anyone getting "hurt"

I assume "responsible" is the key word here. I think it's obvious that many people would have their cars broken into if the flaw became common knowledge early who would not have their cars broken into if Ford had time to prepare before it became common knowledge. It's equally clear that there are many people in the opposite situation -- they would avoid the breakin by having the flaw become common knowledge earlier.

So I assume you're just saying that spreading the word isn't responsible for any breakins, even though it is obviously a contributing cause. Like the idea that if you leave a pair of glasses on the floor and someone steps on them, the stepper is not responsible for the damage.

There are plenty of people who would argue either side of the responsibility question. I still believe in the Consumer Reports analogy, CR would assume responsibility and not publish immediately. It seems to be the prevalent view in journalism, and especially among social good organizations like Consumer's Union (publisher of CR).

Firefox buffer overflow and full disclosure

Posted Sep 18, 2005 15:40 UTC (Sun) by RobSeace (subscriber, #4435) [Link]

> So I assume you're just saying that spreading the word isn't responsible
> for any breakins, even though it is obviously a contributing cause. Like
> the idea that if you leave a pair of glasses on the floor and someone steps
> on them, the stepper is not responsible for the damage.

Well, more in the way that someone who informs you the building is on
fire isn't responsible for setting it... Instead, he's warning you of it,
so you can take action to protect yourself... Or, I suppose a more apt
analogy would be one who notices that the room where everyone gathers to
smoke is actually filled with barrels of gas and boxes of dynamite, which
no one else has ever spotted before... Should he quietly tell management,
so they can silently remove the dangerous items, or should he warn the
smokers so they don't accidentally blow themselves up?? Even if it does
mean that a malicious smoker among them might use the opportunity to blow
up the building just because he hates the place, or something...

> CR would assume responsibility and not publish immediately.

I'm not so sure that's correct... I don't really know for sure, but I
actually suspect they would be more concerned with informing the public
ASAP, since that basically seems to be their core mission... *shrug*

But, regardless of what they would really do, I certainly don't think it
would be "irresponsible" or "immoral" of them to inform the public ASAP...
Nor, do I see any increased "responsibility"/"morality" in any orgination
that would keep the info secret from the public for any length of time...
I can see how they might be trying to do good and protect people, but I
really think they'd be deluding themselves, because being informed is
always the best way of protecting oneself, and will always be far better
than being kept ignorant while those-who-think-they-know-better-than-you
decide your fate...

Firefox buffer overflow and full disclosure

Posted Oct 10, 2005 1:47 UTC (Mon) by turpie (guest, #5219) [Link]

That's a very poor analogy. Such a fire hazard could result in legitimate users accidently creating a life threatening disaster. Hardly similar to a security bug in a web browser.

Most users would be unable to create their own patches to fix a security hole, and unlikely to want to go to the hassle of swapping to another program if their preferred choice of program is likely to be fixed in a couple of days. I believe developers should be notified of the bug and told that they would have no more than 14 days to fix the problem before it is made public. The developers would then have time to fix or workaround the bug, test and release an update before the blackhats were informed. If the developers didn't respond in time then that fact should be a part the security disclosure so the users may be better informed and can then change their software preferences.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds