Vulnerability Development mailing list archives
Re: Vulnerability Disclosure
From: Jonathan Leffler <jleffler () us ibm com>
Date: Thu, 7 Jun 2007 05:21:06 -0700
Matthew Steer <matt.steer () marstons co uk> wrote:
I have been playing around with a program and have discovered a bug that I have successfully leveraged into code execution. I reported my findings to the vendor, not yet receiving a reply; this is the first time I have done this. The bug is in an installer and malicious input is crafted then pasted into an input field which is copied into a buffer of insufficient size. The conditions of the exploit seem a little extreme to me, but it still results in code execution. The fact that it is in an installer, hence most likely requiring Admin rights, and is a local exploit the risk of this vulnerability being exploited seems low (too me, not being a risk assessor!) . This brings me to my question; Should all vulnerabilities be disclosed to a vendor (at least!) however high or low risk? I?ve never been a believer in ?Security through Obscurity?, but do the people think there comes a point when it may just be a waste of
time?
To be honest; I hope not!
Can we check my understanding of your situation? We have a Windows program installer - or is it Unix? And the person running the install needs elevated privileges to run the install. And, using the elevated privileges needed for the install, that user can trick the installer into doing something other than the intended install? Wouldn't the person be able to do those things anyway? So, is there an actual risk of exploitation by someone unauthorized? If the person installing has the privileges to abuse their system and then subverts an installer into abusing their system, how much of a problem is it really? ...change of tack... Speaking from the receiving end of such reports, yes, all (real) vulnerabilities should be reported. And all reported vulnerabilities should be acknowledged - at least that it was received, and preferably that it was evaluated, understood, and proven correct or incorrect and what, if anything, will be done about it. Which may take more than one response email, over a period of days to months. The initial response should be timely - within a week, say. After that, it depends. And it may be that it is not really worth fixing this particular problem - though it isn't a decision to be made lightly. One major problem is knowing whether the report got through to someone able to asses and understand it. And another is knowing how many other reports were received the same day (were the people receiving the reports completely overloaded). And another is knowing whether the version you found the problem in is current, and indeed whether the problem reproduces in the current version. However, and again speaking from experience, many of the problems found in old versions also manifest themselves in new versions. -- Jonathan Leffler (jleffler () us ibm com) STSM, Informix Database Engineering, IBM Information Management Division 4100 Bohannon Drive, Menlo Park, CA 94025-1013 Tel: +1 650-926-6921 Tie-Line: 630-6921 "I don't suffer from insanity; I enjoy every minute of it!"
Current thread:
- Vulnerability Disclosure matt . steer (Jun 06)
- Re: Vulnerability Disclosure Steve Shockley (Jun 07)
- Re: Vulnerability Disclosure Mauro Flores (Jun 07)
- <Possible follow-ups>
- Re: Vulnerability Disclosure Jonathan Leffler (Jun 07)
- Re: Vulnerability Disclosure Valdis . Kletnieks (Jun 08)
- Re: Vulnerability Disclosure Jonathan Leffler (Jun 08)
- Re: Vulnerability Disclosure Lincoln Yeoh (Jun 18)
- Re: Vulnerability Disclosure Valdis . Kletnieks (Jun 08)