NoMoreFreeBugs – ohnoes!
At CanSecWest last week (note to self: write a post about how awesome the conference was) a few well known researchers, Alex Sotirov, Dino Dai Zovi, and Charlie Miller began a movement against “free bugs”. The basic and over simplified premise is that they feel that security vulnerabilities should not be handed over to vendors for free. I don’t necessarily agree with this but in reality who cares? To each their own. This is really an individual choice.
Of course, this caused a few to scratch their heads and while I am sure there are other really dumb blog posts about this — I thought this one took the cake:
Not only is the above blog post completely off the mark, but it is clear that the author is very inexperienced in dealing with security vulnerabilities. Lets look at some of the ridiculous comments made by Ross Thomas of Sophos.
“As one of those users, I have to say I’m not exactly delighted to discover that a so-called security researcher was so breathtakingly cavalier about the safety of my data and the privacy of my personal information. Apparently I’ve been vulnerable to this “idiot-proof” exploit for at least a year, and have only good luck to thank for the fact that no-one used it to drain my bank accounts in the meantime.”
Wow.. talk about raising the level of FUD and so soon in the post. While we don’t have a heck of a lot of details on the bug (some do have more than others) I can say with a pretty high confidence level that this bug could not be used to “drain” the author’s bank account. If it could, there would be even less reason to disclose it. 😉
But wait it gets even worse:
“The point I’m trying to make is that this wasn’t “his exploit” to do with as he saw fit.”
Really? Didn’t the researcher, in this case Charlie Miller, spend the time to find this bug? He found the bug and he wrote the exploit. That does in fact make it his to do with as he pleases.
I guess that is really the entire point that Sophos and Ross Thomas are missing. While I personally would report any vulnerabilities I find to the vendor, for free, it really is up to the individual researcher to do as he pleases with what he finds. Afterall, he did put in the work.
“With today’s highly monetized black market for malware authors this kind of bug must not be permitted to exist even for a day, let alone a year”
More FUD! Security vulnerabilities exist, they always have and they always will. Get over it. Bugs exist much longer than days as it takes most vendors months to fix anything and once you have reported the bug to a vendor — it is no longer a secret. While anyone could have found the same bug and used it for “bad things” no one did. So what does that tell you? It suggests to me that the so called “black market” and malware authors aren’t looking as hard or maybe they aren’t as good as looking.
Lets also not forget that users are always slow to patch their machines. So waiting to report this really has no bearing on anything — especially when this specific bug has not been used in the wild. Looking at the last few very successful pieces of malware — none of them used a zeroday. In fact one of the bigger ones (although we all know the shady AV Vendors inflate their numbers) Confiker, used a known and patched vulnerability. In fact, the trend lately has been, patch released, bad guys reverse patch, bad guys start using vulnerabilities, months later users get around to installing patch.
Perhaps once we start to see more actual zero day being used and lets be honest here, perhaps once AV Vendors start actually offering their users REAL PROTECTION that can’t be easily bypassed then we can cast stones at someone for wanting to be paid for something they do in their spare time.