Security
Vulnerability disclosure policies
Security vulnerability disclosure policy is contentious. Vendors typically argue for "responsible disclosure", while some in the security community think that "full disclosure" is the only way to fully protect the users of vulnerable software. There are other disclosure policies as well, but it is important to note that security researchers are under no obligation to disclose flaws that they find at all, which is something that all entities distributing software—vendors, projects, distributions, and so forth—should keep in mind. Anyone who finds a vulnerability and points it out is doing so as a favor, regardless of how the disclosure is done.
Full disclosure is the policy to immediately disclose the details of a vulnerability as soon as it is found. That may alert attackers to the flaw, but it also alerts users and allows them to make choices about mitigating the problem. It also puts enormous pressure on the maker of the software to produce a fix in a timely fashion.
Responsible disclosure, on the other hand, puts the choices largely in the hands of the vendor or project. The idea is to give the software maker some amount of time (usually on the order of weeks) to fix the problem and release a patch before any disclosure of the flaw is made. It is meant to be "responsible" to users, so that attackers don't get a leg up on the installed, vulnerable software before there is a fix available. But, responsible disclosure pre-supposes that attackers are not already aware of—and exploiting—the flaw.
There has also been a trend toward "partial disclosure" in the last few years. Typically practiced by those looking to make a name for themselves—and/or bring publicity to their research firm—partial disclosures are pretty much what they sound like: the announcement of the existence of a flaw with as few details as possible. But there is a fine, and difficult to draw, line between providing enough details to convince the security community that there is a flaw and not disclosing so much that others can figure out what that flaw is. Eventually, partial disclosures become some other kind of disclosure, either through the efforts of the original finder, or because other researchers were able to figure out the flaw from the clues.
Something of a new wrinkle in disclosure policy is zero
(or no)
disclosure—at least without payment. VUPEN Security has
announced two vulnerabilities in Microsoft Office 2010 on its security blog, but is
unwilling to disclose them to Microsoft until and unless the software giant
ponies up for the information. The H quotes VUPEN CEO Chaouki Bekrar:
"Why should security services providers give away for free
information aimed at making paid-for software more secure?
"
While there is nothing that requires security researchers to alert software makers to bugs in their code, it is a longstanding tradition to disclose those flaws. But security companies may now be more focused on mitigating any vulnerabilities they find for their customers, leaving the rest of the user community high and dry. At least until some deep-pocketed organization steps up and pays. While some in our community might be amused that Microsoft (and its users) are being treated this way, it may not be so funny if it starts happening to Linux or free software projects.
Microsoft is hardly blameless here. For years it treated security vulnerabilities as a public relations problem at worst. It has also had a rocky relationship with the security community, which has led to more than one exasperated disclosure of a "zero day" vulnerability. A recent privilege escalation in Vista and Server 2008 is just such a disclosure; researchers annoyed by criticism of Tavis Ormandy for the release of a Windows vulnerability formed the "Microsoft-Spurned Researcher Collective"—MSRC, just like the Microsoft Security Response Center—to anonymously make these kinds of zero day disclosures. It should be noted, though, that Microsoft is not alone; the Linux kernel community has also had a combative relationship with security researchers at times.
While there is little direct harm in security researchers keeping their knowledge of specific vulnerabilities to themselves, there is certainly the potential for harm with partial disclosures. This relatively new zero disclosure policy is, in reality, just a form of partial disclosure, and may provide attackers with just enough information to focus their efforts. If these researchers truly want to be paid for their efforts, they would be much better served by working with the established players in the vulnerability buying business (Tipping Point and others) or by approaching the affected vendor privately. For vulnerabilities in Linux and other free software, though, it's not particularly clear who would be willing to pick up the tab. We will just have to hope that, if that happens, any loud zero disclosure of a flaw like that provides enough clues for the "white hats" to track down the problem in short order.
Brief items
Quotes of the week
New vulnerabilities
acroread: multiple arbitrary code execution vulnerabilities
| Package(s): | acroread | CVE #(s): | CVE-2010-1240 CVE-2010-1285 CVE-2010-1295 CVE-2010-1297 CVE-2010-2168 CVE-2010-2201 CVE-2010-2202 CVE-2010-2203 CVE-2010-2204 CVE-2010-2205 CVE-2010-2206 CVE-2010-2207 CVE-2010-2208 CVE-2010-2209 CVE-2010-2210 CVE-2010-2211 CVE-2010-2212 | ||||||||||||||||||||||||||||||||
| Created: | July 1, 2010 | Updated: | January 21, 2011 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: CVE-2010-2203: Adobe Reader and Acrobat 9.x before 9.3.3 on UNIX allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. Note that all of the other CVEs are listed as Windows and MacOS X only. In addition, they are all as opaque as the above. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
avahi: denial of service
| Package(s): | avahi | CVE #(s): | CVE-2010-2244 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 6, 2010 | Updated: | May 19, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
A deficiency in the way avahi daemon processed packets with corrupted checksum(s). A remote attacker on the same local are network (LAN) could send a DNS packet with broken checksum, that would cause avahi-daemon to exit unexpectedly due to a failed assertion check. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
bugzilla: information disclosure
| Package(s): | bugzilla | CVE #(s): | CVE-2010-1204 | ||||||||
| Created: | July 6, 2010 | Updated: | August 27, 2010 | ||||||||
| Description: | From the CVE entry:
Search.pm in Bugzilla 2.17.1 through 3.2.6, 3.3.1 through 3.4.6, 3.5.1 through 3.6, and 3.7 allows remote attackers to obtain potentially sensitive time-tracking information via a crafted search URL, related to a "boolean chart search." | ||||||||||
| Alerts: |
| ||||||||||
gcc: directory traversal
| Package(s): | gcc | CVE #(s): | CVE-2010-0831 CVE-2010-2322 | ||||||||||||||||||||
| Created: | July 6, 2010 | Updated: | September 28, 2012 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Dan Rosenberg reported a directory traversal flaw in fastjar that allows an attacker, who is able to convince a victim to extract a malicious .jar file, to overwrite arbitrary files on disk without prompting the victim. The files to be overwritten must be writable by the user extracting the .jar file. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
libtiff: out-of-bounds writes
| Package(s): | libtiff | CVE #(s): | CVE-2010-2233 | ||||||||||||||||
| Created: | July 2, 2010 | Updated: | August 9, 2010 | ||||||||||||||||
| Description: | From the Red Hat bugzilla:
A flaw was found in a way libtiff handled vertically flipped (i.e. with negative toskew) images on 64bit platforms. Numeric computation used to calculate buffer pointer was done in the way that incorrectly extended from 32bit type to 64bit, resulting in out-of-bounds writes. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
mahara: multiple vulnerabilities
| Package(s): | mahara | CVE #(s): | CVE-2010-1667 CVE-2010-1668 CVE-2010-1670 CVE-2010-2479 | ||||||||||||
| Created: | July 2, 2010 | Updated: | August 23, 2010 | ||||||||||||
| Description: | From the Debian advisory:
Several vulnerabilities were discovered in mahara, an electronic portfolio, weblog, and resume builder. The following Common Vulnerabilities and Exposures project ids identify them: Multiple pages performed insufficient input sanitising, making them vulnerable to cross-site scripting attacks. (CVE-2010-1667) Multiple forms lacked protection against cross-site request forgery attacks, therefore making them vulnerable. (CVE-2010-1668) Gregor Anzelj discovered that it was possible to accidentally configure an installation of mahara that allows access to another user's account without a password. (CVE-2010-1670) Certain Internet Explorer-specific cross-site scripting vulnerabilities were discovered in HTML Purifier, of which a copy is included in the mahara package. (CVE-2010-2479) | ||||||||||||||
| Alerts: |
| ||||||||||||||
mediawiki: multiple vulnerabilities
| Package(s): | mediawiki | CVE #(s): | CVE-2010-1189 CVE-2010-1190 | ||||
| Created: | July 6, 2010 | Updated: | July 7, 2010 | ||||
| Description: | From the Fedora advisory:
Three security issues are fixed in this update: A CSS validation issue was discovered which allows editors to display external images in wiki pages. A data leakage vulnerability was discovered in thumb.php which affects wikis which restrict access to private files using img_auth.php, or some similar scheme. MediaWiki was found to be vulnerable to login CSRF. The upstream authors recommend that all public wikis should be upgraded if possible. The fix includes a breaking change to the API login action. Any clients using it will need to be updated. | ||||||
| Alerts: |
| ||||||
mediawiki: multiple vulnerabilities
| Package(s): | mediawiki | CVE #(s): | CVE-2010-1647 CVE-2010-1648 | ||||||||
| Created: | July 6, 2010 | Updated: | July 7, 2010 | ||||||||
| Description: | From the Fedora advisory:
CVE-2010-1647 Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as script by Internet Explorer. CVE-2010-1648 Cross-site request forgery (CSRF) vulnerability in the login interface in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to hijack the authentication of users for requests that (1) create accounts or (2) reset passwords, related to the Special:Userlogin form. | ||||||||||
| Alerts: |
| ||||||||||
rpm: privilege escalation
| Package(s): | rpm | CVE #(s): | CVE-2010-2059 CVE-2010-2198 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 6, 2010 | Updated: | September 22, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file. (CVE-2010-2059) lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to gain privileges or bypass intended access restrictions by creating a hard link to a vulnerable file that has (1) POSIX file capabilities or (2) SELinux context information, a related issue to CVE-2010-2059. (CVE-2010-2198) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>