Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 21:20 UTC (Fri) by gerv (guest, #3376)
In reply to: Firefox buffer overflow and full disclosure by RobSeace
Parent article: Firefox buffer overflow and full disclosure

publically releasing the details of the flaw they discovered is benefiting and protecting the users, NOT exposing them to any kind of risk...

That's clearly not true. The more black hats know about the flaw, the more at risk users are. Claiming that releasing details while there's no patch available does not expose users to any extra risk at all is a ridiculous position, not even generally held by advocates of immediate disclosure (who normally say: "Yes, there's an extra risk, but it's worth it to kick the vendor into action"). In a few types of flaw, users can take action to protect themselves, but normally they are at the mercy of the vendor to provide a patch. So revealing the information to the user does not benefit them at all, because they are in exactly the same position as previously - waiting for their vendor. Except now there are more people who know how to attack them.

You seem to be laboring under the delusion that the security hole doesn't exist until it has been publically disclosed...

I don't think my comments say that at all. I am merely making the point that the risk associated with a hole is equal to the severity of the problem multiplied by the number of people with evil intent who know about it. There are probably 100 holes in [pick-a-product-name] right now which are zero risk, because 0 people know about them - they haven't been discovered by anyone yet. Again, in a limited number of cases, a hole has to be revealed when there's no patch because either the vendor is uncooperative or has made it clear they aren't going to produce a fix. But neither of those things was true in this case.

to post comments

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:05 UTC (Fri) by RobSeace (subscriber, #4435) [Link] (7 responses)

> The more black hats know about the flaw, the more at risk users are.

Only if the users remain ignorant of it, as well... Using analogies for
stuff like this never works well, but: every "black hat" on the planet
knows about the flaw inherent in windows (the glass kind, not the OS):
namely, that they're easy to break, and thereby can provide unintended
access to a house/car/whatever... However, every "user" of windows also
knows about that flaw, and chooses to either live with the risk, or
invest in better protection (barred windows, security system, whatever)
if they need it... But, suppose the "users" didn't know about this, and
believed windows to be utterly impenetrable and perfectly safe... Do you
think these ignorant users are somehow safer in their ignorance than the
informed users?? Even if less "black hats" know about the flaw, the fact
is they are at risk from those few that do (and any future ones who figure
it out on their own, as "black hats" are wont to do)... And, in their
ignorance, they may be exposing highly sensitive and important stuff that
they dearly wish to protect, and think they ARE protecting via the use of
what they think are impenetrable windows... Compared to the real informed
"users", who know better than to rely on windows to protect anything
important... So, tell me again, how keeping users ignorant protects them,
or is somehow for their own good??

> In a few types of flaw, users can take action to protect themselves, but
> normally they are at the mercy of the vendor to provide a patch.

That's just not true... Users can ALWAYS take some action to protect
themselves: stop using the vulnerable product until it's fixed! Yes, that
may be a dramatic and unrealistic choice for many users in many cases, but
the fact is that it IS an option, and all users deserve to be informed of
the problem so they can exercise that option if they choose to... But,
there are usually much less drastic options users can take, as well... Such
as firewalling off ports (assuming network attack), or tweaking config
settings to disable the buggy feature (such as in this Firefox IDN case),
etc... No one is "at the mercy of" any vendor, to that extent... They
always have some choice in the matter... But, keeping them ignorant robs
them of that choice, and leaves them vulnerable...

To use another unworkable analogy: if Consumer Reports learned of a flaw
in all Ford cars, whereby someone could easily unlock the doors by tapping
them in just the right spot (or something similar), would you rather they
quietly just tell Ford about it and wait for them to take months/years to
do anything about it, or would you rather know about it yourself, so you
can replace the locks on your Ford your own damn self?? I think being
informed is ALWAYS a good thing, and being kept ignorant is NEVER a good
thing, no matter what the situation or scenario... So, I can't fathom how
people buy into this "responsible disclosure" nonsense, that basically says
"Yes, please, keep me entirely in the dark about the gaping security holes
in the software I'm using, while my software vendor takes their sweet time
to twiddle their thumbs and maybe throw together a patch, all the while
leaving me vulnerable to this now increasingly well-known exploit, which
who-knows-how-many people now know about!"... THAT, is what I call being
"at the mercy of the vendor" (and, all of the countless people they and
the original bug-reporter have informed, either directly or indirectly)...
And, it's NOT something I want to be...

> There are probably 100 holes in [pick-a-product-name] right now which are
> zero risk, because 0 people know about them - they haven't been
> discovered by anyone yet.

Yeah, sure, if literally NO ONE has discovered them, then yes there is zero
risk... But, in the scenarios we are discussing, that is NOT the case...
At least ONE person has discovered them, already... And, he's probably
told the vendor, which in turns means probably more than one developer
there has been informed of it... And, any of them may offhandedly tell a
friend or two about it... And, so on...

Not to mention the fact that you never KNOW whether or not anyone else
might have already previously discovered any given hole, and simply haven't
told anyone about it, because they'd rather keep it their own little
secret weapon...

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:29 UTC (Fri) by gerv (guest, #3376) [Link] (6 responses)

To use another unworkable analogy: if Consumer Reports learned of a flaw in all Ford cars, whereby someone could easily unlock the doors by tapping them in just the right spot (or something similar), would you rather they quietly just tell Ford about it and wait for them to take months/years to do anything about it, or would you rather know about it yourself, so you can replace the locks on your Ford your own damn self??

I'd tell Ford: "You have two weeks to make sure all of your dealerships around the world have a decent stock of replacement locks. Then I'm going public." Which is the exact equivalent of responsible disclosure.

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 22:49 UTC (Fri) by RobSeace (subscriber, #4435) [Link] (5 responses)

But, why is that more "responsible" than immediately going public? (Which,
I believe, is what Consumer Reports usually actually does...) And, why
two weeks? Who made up that number, and deemed it to be the "responsible"
time-frame? What if the vendor really can't possibly get a fix out in
less than 6 months? Is it "responsible" to inform the public 5.5 months
early? If so, then why exactly wasn't it to do so 2 weeks earlier than
that?? (It's clearly NOT "responsible" to cave to the vendor, and sit
on the issue for 6 months... But, what I'm curious about is what is it
that distinguishes the 2 weeks from the 6 months for you?? In this day
and age, can't 2 weeks of being vulnerable to a known security hole be
just as dangerous as 6 months? So, why not simply inform the users right
from the start, so they can protect themselves until the vendor takes
however long it needs to to fix the issue?)

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 0:38 UTC (Sat) by giraffedata (guest, #1954) [Link] (4 responses)

I'd be interested to know what Consumer Reports' policy on this is. I'm not sure it has ever faced the situation. I know Consumer Reports doesn't give any advance warning to manufacturers of defects and other weaknesses in their products that CR intends to publicize, but that's a statement about CR not owing the manufacturer anything. Are these ever defects where some consumers would be hurt just by the publication? Like the Ford lock analogy?

I read all the time about journalists withholding information for the public good, and I suspect Consumer Reports really would withhold that Ford lock story until Ford had plenty of time to mitigate the problem.

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 15:35 UTC (Sat) by RobSeace (subscriber, #4435) [Link] (3 responses)

> Are these ever defects where some consumers would be hurt just by the
> publication?

Once again, I don't buy that the "publication" would be responsible for
anyone getting "hurt"... The flaw already exists; merely remaining silent
about it doesn't change the fact... In fact, as I've stated, remaining
only 'partially' silent (ie: informing the vendor, and thereby indirectly
who-knows-how-many people, whose morals and ethics you know nothing about)
is definitely worse... Remaining COMPLETELY silent (as in telling NO ONE
at all, and not using the info yourself) is safe enough, for now... Until
someone else comes along and discovers the same flaw... (If one person can
find it, so can another... In fact, in all likelihood, the chances are good
that someone else has previously already discovered the flaw, and simply
haven't told anyone yet...) So, the only rational course that I can see is
to inform the public at large, so they can protect themselves...

Firefox buffer overflow and full disclosure

Posted Sep 17, 2005 22:29 UTC (Sat) by giraffedata (guest, #1954) [Link] (2 responses)

I don't buy that the "publication" would be responsible for anyone getting "hurt"

I assume "responsible" is the key word here. I think it's obvious that many people would have their cars broken into if the flaw became common knowledge early who would not have their cars broken into if Ford had time to prepare before it became common knowledge. It's equally clear that there are many people in the opposite situation -- they would avoid the breakin by having the flaw become common knowledge earlier.

So I assume you're just saying that spreading the word isn't responsible for any breakins, even though it is obviously a contributing cause. Like the idea that if you leave a pair of glasses on the floor and someone steps on them, the stepper is not responsible for the damage.

There are plenty of people who would argue either side of the responsibility question. I still believe in the Consumer Reports analogy, CR would assume responsibility and not publish immediately. It seems to be the prevalent view in journalism, and especially among social good organizations like Consumer's Union (publisher of CR).

Firefox buffer overflow and full disclosure

Posted Sep 18, 2005 15:40 UTC (Sun) by RobSeace (subscriber, #4435) [Link] (1 responses)

> So I assume you're just saying that spreading the word isn't responsible
> for any breakins, even though it is obviously a contributing cause. Like
> the idea that if you leave a pair of glasses on the floor and someone steps
> on them, the stepper is not responsible for the damage.

Well, more in the way that someone who informs you the building is on
fire isn't responsible for setting it... Instead, he's warning you of it,
so you can take action to protect yourself... Or, I suppose a more apt
analogy would be one who notices that the room where everyone gathers to
smoke is actually filled with barrels of gas and boxes of dynamite, which
no one else has ever spotted before... Should he quietly tell management,
so they can silently remove the dangerous items, or should he warn the
smokers so they don't accidentally blow themselves up?? Even if it does
mean that a malicious smoker among them might use the opportunity to blow
up the building just because he hates the place, or something...

> CR would assume responsibility and not publish immediately.

I'm not so sure that's correct... I don't really know for sure, but I
actually suspect they would be more concerned with informing the public
ASAP, since that basically seems to be their core mission... *shrug*

But, regardless of what they would really do, I certainly don't think it
would be "irresponsible" or "immoral" of them to inform the public ASAP...
Nor, do I see any increased "responsibility"/"morality" in any orgination
that would keep the info secret from the public for any length of time...
I can see how they might be trying to do good and protect people, but I
really think they'd be deluding themselves, because being informed is
always the best way of protecting oneself, and will always be far better
than being kept ignorant while those-who-think-they-know-better-than-you
decide your fate...

Firefox buffer overflow and full disclosure

Posted Oct 10, 2005 1:47 UTC (Mon) by turpie (guest, #5219) [Link]

That's a very poor analogy. Such a fire hazard could result in legitimate users accidently creating a life threatening disaster. Hardly similar to a security bug in a web browser.

Most users would be unable to create their own patches to fix a security hole, and unlikely to want to go to the hassle of swapping to another program if their preferred choice of program is likely to be fixed in a couple of days. I believe developers should be notified of the bug and told that they would have no more than 14 days to fix the problem before it is made public. The developers would then have time to fix or workaround the bug, test and release an update before the blackhats were informed. If the developers didn't respond in time then that fact should be a part the security disclosure so the users may be better informed and can then change their software preferences.