Archive for Vulnerabilities

NoMoreFreeBugs – ohnoes!

Posted in security with tags , , , , , , , , on March 23, 2009 by hellnbak

At CanSecWest last week (note to self: write a post about how awesome the conference was) a few well known researchers, Alex Sotirov, Dino Dai Zovi, and Charlie Miller began a movement against “free bugs”.  The basic and over simplified premise is that they feel that security vulnerabilities should not be handed over to vendors for free.  I don’t necessarily agree with this but in reality who cares?  To each their own.  This is really an individual choice.

Of course, this caused a few to scratch their heads and while I am sure there are other really dumb blog posts about this — I thought this one took the cake:

Not only is the above blog post completely off the mark, but it is clear that the author is very inexperienced in dealing with security vulnerabilities.  Lets look at some of the ridiculous comments made by Ross Thomas of Sophos.

“As one of those users, I have to say I’m not exactly delighted to discover that a so-called security researcher was so breathtakingly cavalier about the safety of my data and the privacy of my personal information. Apparently I’ve been vulnerable to this “idiot-proof” exploit for at least a year, and have only good luck to thank for the fact that no-one used it to drain my bank accounts in the meantime.”

Wow.. talk about raising the level of FUD and so soon in the post.  While we don’t have a heck of a lot of details on the bug (some do have more than others) I can say with a pretty high confidence level that this bug could not be used to “drain” the author’s bank account.  If it could, there would be even less reason to disclose it.  😉

But wait it gets even worse:

“The point I’m trying to make is that this wasn’t “his exploit” to do with as he saw fit.”

Really?  Didn’t the researcher, in this case Charlie Miller, spend the time to find this bug?  He found the bug and he wrote the exploit.  That does in fact make it his to do with as he pleases.

I guess that is really the entire point that Sophos and Ross Thomas are missing.  While I personally would report any vulnerabilities I find to the vendor, for free, it really is up to the individual researcher to do as he pleases with what he finds.  Afterall, he did put in the work.

“With today’s highly monetized black market for malware authors this kind of bug must not be permitted to exist even for a day, let alone a year”

More FUD!  Security vulnerabilities exist, they always have and they always will.  Get over it.  Bugs exist much longer than days as it takes most vendors months to fix anything and once you have reported the bug to a vendor — it is no longer a secret.  While anyone could have found the same bug and used it for “bad things” no one did.  So what does that tell you?  It suggests to me that the so called “black market” and malware authors aren’t looking as hard or maybe they aren’t as good as looking.

Lets also not forget that users are always slow to patch their machines.  So waiting to report this really has no bearing on anything — especially when this specific bug has not been used in the wild.  Looking at the last few very successful pieces of malware — none of them used a zeroday.  In fact one of the bigger ones (although we all know the shady AV Vendors inflate their numbers) Confiker, used a known and patched vulnerability.  In fact, the trend lately has been, patch released, bad guys reverse patch, bad guys start using vulnerabilities, months later users get around to installing patch.

Perhaps once we start to see more actual zero day being used and lets be honest here, perhaps once AV Vendors start actually offering their users REAL PROTECTION that can’t be easily bypassed then we can cast stones at someone for wanting to be paid for something they do in their spare time.


Counting Vulnerabilities and SDL – No One Hears the Tree Falling

Posted in security with tags , , , , on April 20, 2008 by hellnbak

Those of you who have known me since early on in my career as an “infosec guy” know that I have always been very critical of Microsoft.  Between the days of Information Anarchy, my old school rants and the “AusCERT Incident” I have always been ready to pounce on the boys in Redmond when I felt that they were being shady or crossing a line.  That said, those that know me also know that I am a reasonable person and won’t jump on someone just for the sake of jumping on them.

Sadly, I am a sheep, and like most of you, I am on Facebook.  One of my Facebook (and professional/real life) friends is Ryan Naraine over at eWeek.  I noticed his status late this week was – “Dave Litchfield is also wrong –

So, wondering what the next Information Security drama was I headed over to Dave’s BLOG (which I didn’t know existed till now and I highly recommend it) and gave the post a read.  It seems that the hoopla is all about the Secure Development Lifecycle and counting vulnerabilities.  Dave’s post was simply a response to this post by Peter Lindstrom who is apparently some sort of analyst.


I have been on all ends of the security puzzle.  Two of those many ends are the vendor and, of course, the vulnerability researcher.  Based on my experiences I feel that I have a good insight in to not only the vulnerability reporting process but also the Security Development Lifecycle.  In fact, with all due respect to Dave and Peter, I think I have a much clearer insight than the both of them.

Let me say this right now. SDL works. 

You name the major vendor – Microsoft, Apple, IBM, HP, VMWare, etc… I have worked with them on getting vulnerabilities fixed and I have been doing so at different times during my 15 year career.  I was sitting at the lunch table in the 90s when a Sr. Microsoft executive looked at a group of researchers and said “If I had my way people like you would be in jail”.  I was there when Scott Culp during his MSRC days called every Security Researcher a Terrorist.  I have also watched the vendor everyone loves to hate — Microsoft — take a complete 180 on their security philosophy. 

So before you comment calling me a fan boy let me say this.  Is Microsoft perfect with how they deal with security vulnerabilities and bugs?  No, they are far from it.  But, they are better than the majority of the vendors I have had to deal with. 

Apparently what caused the drama amongst security bloggers was this comment:

Microsoft has systematically hired and/or contracted with every one of their most vocal critics (and most seasoned bugfinders) to do the work behind the scenes and they don’t count those vulns!

Dave Litchfield, who has a sucessful company in the UK, took offense to this remark.  To be honest, I don’t blame him.  Dave is best known for being the guy that completely destroyed Oracle Security as well as a few really good Microsoft bugs found by him and his team over at NGSS.  It is also common knowledge that NGSS does a bit of work for Microsoft on MS SQL that happens to fall into Microsoft’s SDL process.

Peter on the other hand, with all due respect and to the best of my knowledge, has never found, reported, or fixed a security vulnerability before.  In fact, even on his own blog he says the following:

“I have very little security background or knowledge”

Don’t get me wrong.  I have met Peter, once, and he seemed like a cool enough guy and someone that does in fact have more than a little security knowledge so I am not trying to pick on him but in this case he is blatantly wrong.

Ok lets be fair, he is not blatantly wrong.  He is three-quarters wrong.  Let’s look at his statement again:

Microsoft has systematically hired and/or contracted with every one of their most vocal critics (and most seasoned bugfinders) to do the work behind the scenes and they don’t count those vulns!

The first part is close to being right.  I wouldn’t say that Microsoft has hired every critic (if so where the hell is my check?) but they have hired/contracted most (perhaps only the good ones thus no check for me heh) SECURITY RESEARCHERS that have been successful in finding bugs in Microsoft software.  Note I did not say CRITICS as it is easy to be a critic and it is very hard to be a Security Researcher.

The part of the statement above that is laughable is the fact that it is an issue that Microsoft does not count any vulns found by their contract QA Engineers (hey security guys, we are really nothing more than QA).  All I can say here is no shit they don’t count them.  I know those of you who are are developers on commercial products are laughing at the thought of this right now.  But, could you imagine if every bug you found in your development lifecycle (which included the security component) had to be reported to Mitre, assigned a CVE, then counted publicly.  Not only would development time triple, but you would find yourself flooding those that count vulnerabilities with a whole lot of useless information.

(I know this post is getting long, for that I apologize, I am drinking my favorite drink (crown royal, 7-up and cranberry) while watching the UFC pay per view so I will try to end this quickly.  By the way, my money is on Serra not St. Pierre — yes I know I am going against the fellow Canadian.)

Perhaps we need to rethink our definition of a vulnerability to put this into the proper context but a bug found internally during the development process is not a vulnerability and therefore should not be counted.

The vulnerabilities that need to be counted are the ones that actually affect the end users and can compromise the security of those end users.  The “vulnerabilities” found during the SDL should not have to be public as they do not affect the public in the least.

It really is that simple folks and I am kind of surprised that after all this time we are still arguing about such a thing.  So yes, much like the tree falling in the forest… no one hears a vulnerability that is fixed during the SDL process nor should they.