User: Password:
Subscribe / Log in / New account


Vulnerability disclosure policies

By Jake Edge
July 7, 2010

Security vulnerability disclosure policy is contentious. Vendors typically argue for "responsible disclosure", while some in the security community think that "full disclosure" is the only way to fully protect the users of vulnerable software. There are other disclosure policies as well, but it is important to note that security researchers are under no obligation to disclose flaws that they find at all, which is something that all entities distributing software—vendors, projects, distributions, and so forth—should keep in mind. Anyone who finds a vulnerability and points it out is doing so as a favor, regardless of how the disclosure is done.

Full disclosure is the policy to immediately disclose the details of a vulnerability as soon as it is found. That may alert attackers to the flaw, but it also alerts users and allows them to make choices about mitigating the problem. It also puts enormous pressure on the maker of the software to produce a fix in a timely fashion.

Responsible disclosure, on the other hand, puts the choices largely in the hands of the vendor or project. The idea is to give the software maker some amount of time (usually on the order of weeks) to fix the problem and release a patch before any disclosure of the flaw is made. It is meant to be "responsible" to users, so that attackers don't get a leg up on the installed, vulnerable software before there is a fix available. But, responsible disclosure pre-supposes that attackers are not already aware of—and exploiting—the flaw.

There has also been a trend toward "partial disclosure" in the last few years. Typically practiced by those looking to make a name for themselves—and/or bring publicity to their research firm—partial disclosures are pretty much what they sound like: the announcement of the existence of a flaw with as few details as possible. But there is a fine, and difficult to draw, line between providing enough details to convince the security community that there is a flaw and not disclosing so much that others can figure out what that flaw is. Eventually, partial disclosures become some other kind of disclosure, either through the efforts of the original finder, or because other researchers were able to figure out the flaw from the clues.

Something of a new wrinkle in disclosure policy is zero (or no) disclosure—at least without payment. VUPEN Security has announced two vulnerabilities in Microsoft Office 2010 on its security blog, but is unwilling to disclose them to Microsoft until and unless the software giant ponies up for the information. The H quotes VUPEN CEO Chaouki Bekrar: "Why should security services providers give away for free information aimed at making paid-for software more secure?"

While there is nothing that requires security researchers to alert software makers to bugs in their code, it is a longstanding tradition to disclose those flaws. But security companies may now be more focused on mitigating any vulnerabilities they find for their customers, leaving the rest of the user community high and dry. At least until some deep-pocketed organization steps up and pays. While some in our community might be amused that Microsoft (and its users) are being treated this way, it may not be so funny if it starts happening to Linux or free software projects.

Microsoft is hardly blameless here. For years it treated security vulnerabilities as a public relations problem at worst. It has also had a rocky relationship with the security community, which has led to more than one exasperated disclosure of a "zero day" vulnerability. A recent privilege escalation in Vista and Server 2008 is just such a disclosure; researchers annoyed by criticism of Tavis Ormandy for the release of a Windows vulnerability formed the "Microsoft-Spurned Researcher Collective"—MSRC, just like the Microsoft Security Response Center—to anonymously make these kinds of zero day disclosures. It should be noted, though, that Microsoft is not alone; the Linux kernel community has also had a combative relationship with security researchers at times.

While there is little direct harm in security researchers keeping their knowledge of specific vulnerabilities to themselves, there is certainly the potential for harm with partial disclosures. This relatively new zero disclosure policy is, in reality, just a form of partial disclosure, and may provide attackers with just enough information to focus their efforts. If these researchers truly want to be paid for their efforts, they would be much better served by working with the established players in the vulnerability buying business (Tipping Point and others) or by approaching the affected vendor privately. For vulnerabilities in Linux and other free software, though, it's not particularly clear who would be willing to pick up the tab. We will just have to hope that, if that happens, any loud zero disclosure of a flaw like that provides enough clues for the "white hats" to track down the problem in short order.

Comments (14 posted)

Brief items

Quotes of the week

[FBI agent Maria] Ricci said the steganographic program was activated by pressing control-alt-E and then typing in a 27-character password, which the FBI found written down on a piece of paper during one of its searches.
-- CNET on the perils of long passwords (by way of Bruce Schneier)

Out of all the devices, operating systems, ports, and protocols out there, only one is so fragile and insecure that we had to exclude it from Nmap version detection by default. That is HP JetDirect (TCP ports 9100-9107). No matter what random crap you spew at the port, it will generally either crash the machine or start spewing out paper. When Nmap version detection was first released 7 years ago, we had so much immediate feedback about HP printer problems that we "temporarily" blocked those ports by default to give HP a chance to fix the problems. We're still waiting for that to happen! The HP printer I bought this year still goes haywire and starts beeping and spewing paper if I enable the HP JD ports by scanning it with "nmap -A --allports hostname".
-- Nmap author Fyodor

Comments (1 posted)

New vulnerabilities

acroread: multiple arbitrary code execution vulnerabilities

Package(s):acroread CVE #(s):CVE-2010-1240 CVE-2010-1285 CVE-2010-1295 CVE-2010-1297 CVE-2010-2168 CVE-2010-2201 CVE-2010-2202 CVE-2010-2203 CVE-2010-2204 CVE-2010-2205 CVE-2010-2206 CVE-2010-2207 CVE-2010-2208 CVE-2010-2209 CVE-2010-2210 CVE-2010-2211 CVE-2010-2212
Created:July 1, 2010 Updated:January 21, 2011

From the CVE entry:

CVE-2010-2203: Adobe Reader and Acrobat 9.x before 9.3.3 on UNIX allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.

Note that all of the other CVEs are listed as Windows and MacOS X only. In addition, they are all as opaque as the above.

Gentoo 201101-09 flash-player 2011-01-21
Gentoo 201009-05 acroread 2010-09-07
openSUSE openSUSE-SU-2010:0573-1 acroread 2010-09-01
SUSE SUSE-SA:2010:037 acroread 2010-09-01
Red Hat RHSA-2010:0503-01 acroread 2010-06-30
openSUSE openSUSE-SU-2010:0359-1 acroread 2010-07-08
MeeGo MeeGo-SA-10:10 flash-plugin 2010-07-07
SUSE SUSE-SA:2010:029 acroread 2010-07-08

Comments (none posted)

avahi: denial of service

Package(s):avahi CVE #(s):CVE-2010-2244
Created:July 6, 2010 Updated:May 19, 2011
Description: From the Red Hat bugzilla:

A deficiency in the way avahi daemon processed packets with corrupted checksum(s). A remote attacker on the same local are network (LAN) could send a DNS packet with broken checksum, that would cause avahi-daemon to exit unexpectedly due to a failed assertion check.

Gentoo 201110-17 avahi 2011-10-22
CentOS CESA-2011:0436 avahi 2011-04-14
Red Hat RHSA-2011:0436-01 avahi 2011-04-12
Red Hat RHSA-2011:0779-01 avahi 2011-05-19
Pardus 2011-67 avahi 2011-04-07
Ubuntu USN-992-1 avahi 2010-09-29
Debian DSA-2086-1 avahi 2010-08-04
Mandriva MDVSA-2010:204 avahi 2010-10-14
CentOS CESA-2010:0528 avahi 2010-07-14
Fedora FEDORA-2010-10581 avahi 2010-06-30
Red Hat RHSA-2010:0528-01 avahi 2010-07-13
Pardus 2010-97 avahi 2010-07-08
Fedora FEDORA-2010-10584 avahi 2010-06-30

Comments (none posted)

bugzilla: information disclosure

Package(s):bugzilla CVE #(s):CVE-2010-1204
Created:July 6, 2010 Updated:August 27, 2010
Description: From the CVE entry: in Bugzilla 2.17.1 through 3.2.6, 3.3.1 through 3.4.6, 3.5.1 through 3.6, and 3.7 allows remote attackers to obtain potentially sensitive time-tracking information via a crafted search URL, related to a "boolean chart search."

Fedora FEDORA-2010-10398 bugzilla 2010-06-25
Fedora FEDORA-2010-10669 bugzilla 2010-07-05

Comments (none posted)

gcc: directory traversal

Package(s):gcc CVE #(s):CVE-2010-0831 CVE-2010-2322
Created:July 6, 2010 Updated:September 28, 2012
Description: From the Red Hat bugzilla:

Dan Rosenberg reported a directory traversal flaw in fastjar that allows an attacker, who is able to convince a victim to extract a malicious .jar file, to overwrite arbitrary files on disk without prompting the victim. The files to be overwritten must be writable by the user extracting the .jar file.

Gentoo 201209-21 fastjar 2012-09-27
Red Hat RHSA-2011:0025-01 gcc 2011-01-13
Fedora FEDORA-2010-10640 libtool 2010-07-01
Fedora FEDORA-2010-10640 gcc 2010-07-01
Fedora FEDORA-2010-10415 gcc 2010-06-25

Comments (none posted)

libtiff: out-of-bounds writes

Package(s):libtiff CVE #(s):CVE-2010-2233
Created:July 2, 2010 Updated:August 9, 2010
Description: From the Red Hat bugzilla:

A flaw was found in a way libtiff handled vertically flipped (i.e. with negative toskew) images on 64bit platforms. Numeric computation used to calculate buffer pointer was done in the way that incorrectly extended from 32bit type to 64bit, resulting in out-of-bounds writes.

Gentoo 201209-02 tiff 2012-09-23
Mandriva MDVSA-2010:146 libtiff 2010-08-06
Fedora FEDORA-2010-10334 libtiff 2010-06-24
Fedora FEDORA-2010-10333 libtiff 2010-06-24

Comments (none posted)

mahara: multiple vulnerabilities

Package(s):mahara CVE #(s):CVE-2010-1667 CVE-2010-1668 CVE-2010-1670 CVE-2010-2479
Created:July 2, 2010 Updated:August 23, 2010
Description: From the Debian advisory:

Several vulnerabilities were discovered in mahara, an electronic portfolio, weblog, and resume builder. The following Common Vulnerabilities and Exposures project ids identify them:

Multiple pages performed insufficient input sanitising, making them vulnerable to cross-site scripting attacks. (CVE-2010-1667)

Multiple forms lacked protection against cross-site request forgery attacks, therefore making them vulnerable. (CVE-2010-1668)

Gregor Anzelj discovered that it was possible to accidentally configure an installation of mahara that allows access to another user's account without a password. (CVE-2010-1670)

Certain Internet Explorer-specific cross-site scripting vulnerabilities were discovered in HTML Purifier, of which a copy is included in the mahara package. (CVE-2010-2479)

Fedora FEDORA-2010-13254 moodle 2010-08-21
Fedora FEDORA-2010-13250 moodle 2010-08-21
Debian DSA-2067-1 mahara 2010-07-02

Comments (none posted)

mediawiki: multiple vulnerabilities

Package(s):mediawiki CVE #(s):CVE-2010-1189 CVE-2010-1190
Created:July 6, 2010 Updated:July 7, 2010
Description: From the Fedora advisory:

Three security issues are fixed in this update: A CSS validation issue was discovered which allows editors to display external images in wiki pages. A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. MediaWiki was found to be vulnerable to login CSRF. The upstream authors recommend that all public wikis should be upgraded if possible. The fix includes a breaking change to the API login action. Any clients using it will need to be updated.

Fedora FEDORA-2010-6335 mediawiki 2010-04-10

Comments (none posted)

mediawiki: multiple vulnerabilities

Package(s):mediawiki CVE #(s):CVE-2010-1647 CVE-2010-1648
Created:July 6, 2010 Updated:July 7, 2010
Description: From the Fedora advisory:

CVE-2010-1647 Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as script by Internet Explorer.

CVE-2010-1648 Cross-site request forgery (CSRF) vulnerability in the login interface in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to hijack the authentication of users for requests that (1) create accounts or (2) reset passwords, related to the Special:Userlogin form.

Fedora FEDORA-2010-10848 mediawiki 2010-07-06
Fedora FEDORA-2010-10779 mediawiki 2010-07-06

Comments (none posted)

rpm: privilege escalation

Package(s):rpm CVE #(s):CVE-2010-2059 CVE-2010-2198
Created:July 6, 2010 Updated:September 22, 2010
Description: From the CVE entries:

lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file. (CVE-2010-2059)

lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to gain privileges or bypass intended access restrictions by creating a hard link to a vulnerable file that has (1) POSIX file capabilities or (2) SELinux context information, a related issue to CVE-2010-2059. (CVE-2010-2198)

Gentoo 201206-26 rpm 2012-06-24
openSUSE openSUSE-SU-2010:0627-1 rpm 2010-09-16
SUSE SUSE-SR:2010:017 java-1_4_2-ibm, sudo, libpng, php5, tgt, iscsitarget, aria2, pcsc-lite, tomcat5, tomcat6, lvm2, libvirt, rpm, libtiff, dovecot12 2010-09-21
Mandriva MDVSA-2010:180 rpm 2010-09-13
CentOS CESA-2010:0679 rpm 2010-09-12
CentOS CESA-2010:0678 rpm 2010-09-09
Red Hat RHSA-2010:0679-01 rpm 2010-09-07
Red Hat RHSA-2010:0678-01 rpm 2010-09-07
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
openSUSE openSUSE-SU-2010:0428-1 rpm 2010-07-26
Fedora FEDORA-2010-10617 rpm 2010-07-01
Fedora FEDORA-2010-9829 rpm 2010-06-14

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds