Re: [HERT] Advisory #002 Buffer overflow in lsof

[weld () L0PHT COM (Weld Pond)]

On Thu, 18 Feb 1999, Gene Spafford wrote:

> Yes, some software could be written better.  Yes, some vendors may do a poor
> job of responding to reports.
>
> Still, posting attacks or vulnerabilities that are in not in general
> knowledge and are not being actively exploited and *before* the vendor has
> been given a chance to respond is not being part of the solution.   It is
> arrogance or showing off.

Before full disclosure became more of the norm, we lived in a world where
vendors sat on problems for many months. When bugs were reported questions
such as, "do our customers know about this problem?" were asked. It was
clear that the fewer people who knew about the problem the longer it would
take to be fixed.  It was only when many customers knew about the problem
that vendors would snap into action.

The other problem with a world where vendors can expect to be notified
first is they can be reactive about security instead of proactive.  They
can wait for the "nice guys" to find the problems and cross their fingers
that the "bad guys" aren't running rampant through their customers
"secure" systems.

The full disclosure method has forced many vendors to be more procactive
about security and that is a good thing.  I would say that full disclosure
has raised the quality of shipping products and shortened the time between
problem discovery and vendor fix.

The most important aspect of full disclosure though is that the user is
informed.  Some users are able to take protective measures without the
need to wait for a vendor fix.  This lets the user make decisions based on
as much information about his or her security posture that is available.
The user is not beholden to the whims of release schedules, corporate
public relations or the financial standing of the vendor.

> People who really want to improve security find ways to avoid hurting victims
> and increase protection.   If there is a problem that is not known and not
> under attack, notifying the vendor and waiting for a valid fix to appear is
> not going to result in anyone being hurt.   Posting an exploit widely for a
> previously unknown problem suddenly opens up all the current users to attack.

I agree that someone posting an exploit should also post a fix if they are
able to determine one.  Sometimes it is not possible due to lack of source
code or the nature of the problem.  But getting the information out there
may enable another member of the community to supply a fix that even the
vendor may not have thought of.

-weld