Re: Vulnerability Disclosure Debate

[gridrun <gridrun () likes smart-girlies org>]

Matthew Murphy wrote:

<snip>

> As for virus/worm authors and how they find bugs to exploit, if you had any
> background here, you would have realized by now that the vast majority of
> self-propagating code targets vulnerabilities where working exploit code is
> available.  Code Red, Nimda, Slammer, and Spida all fit this criterion.
> While nobody can say for a fact that no virus writer has ever found his own
> hole, we *can* say that trends and patterns in self-propagating code prove
> that the creation of such code is sped up significantly when exploit code is
> public.
>  
I might have more "background" here than you, sir.

> > They state that those releasing proof-of-concept code to the public are
> > responsible for the creation of various malware, virii and worms,
> > exploiting the discovered vulnberabilities.
> > Let me tell you one thing: If you believe that you are the only ones
> > finding vulnerabilities, then you are to be considered a bunch of
> > arrogant, self deceited stupid ignorant bitches. Do you really think you
> > are the only ones "31337" enough to find sec vulns??? Latest example:
> > The people here at spacebitch.com noticed intrusions using the RPC/DCOM
> > vulnerability at least a month before any information about it was
> > published at all.
> >    
>
> Sure ya did -- how many of us should believe that?  And I assume, of course,
> that you notified Microsoft of the exploit immediately, right?
>  
Oh I really do give a flying fsck what you believe. I just stated what 
happend, nothing more.

> Well, I find it pretty incredible that this "inherently dumb program" spread
> so well, then, if it was so worthless and buggy.  Can't imagine what a
> *well-written* worm for that bug would have done, then!
>  
You cant imagine? You dont know much about the underground, it seems. 
Btw, it really spread well, yeah...
If you consider spreading to the news headlines a good thing, yeah. It 
did very well.
No wonder you can't imagine. Oh well, after all you think those high 
profile worms make up for the
"vast majority" of self propagating code... You are living in a dream 
world, Neo.

most widely known != vast majority

> > Hackers, Crackers and Script Kiddies alike are known to engage in
> > exploit trading and often, they are discovering and exploiting
> > vulnerabilities without going BIG NEWS about it... Do you really
> > believe, people are sending all their 0day to @stake & co in advance,
> > just to let them make money of the news?? Would you not rather believe
> > that crackers finding new vulnerabilities would keep them 0day as long
> > as possible, exploiting them undiscovered, because the majority doesnt
> > even know the hole exists?? To me, it would seem perfectly logical for
> > hackers and crackers alike to ONLY publish their findings after the
> > problem was initially noticed by the public? Would it not make sense to
> > you? To keep 0day for fun and profit as long as possible, and then
> > releasing a modified variant of the 0day as "proof-of-concept" code, as
> > soon as the public is noticed, and credits and publicity are to be
> > gained by releasing the exploit code to the public?
> >    
>
> Now, you're embarrassing yourself.  Crackers, and etc. don't want credit
> from the vast majority of the list readership (generally speaking, anyway),
> and could care less about what we say.  Also, some realize that the act of
> breaking into a system under the laws of most countries is illegal, and
> don't want to draw attention to themselves by publishing the code they used
> to do it.
>  
You cannot imagine how a well-written worm would behave, but you claim 
to know what
crackers want. You, sir, are contradicting yourself. Besides, it was 
exactly my point that most
exploits remain 0day anyways.

> > To me, full disclosure makes perfect sense. Tell people about the
> > vulnerability as soon as you notice it exists, you'll see
> > "proof-of-concept" code appearing within days - essentially a proof that
> > there were other people knowing about the vulnerability already.
> >    
>
> Not even close.  While we see PoC code appear in only a few days, that is
> not an indicator of advanced details, particularly if the product is widely
> deployed, as you can start exploit development in a matter of minutes after
> receiving the first details, if in a position to do so (i.e, you have a box
> in front of you to test).
>  
You still believe vulnerabilities are not found until someone at (insert 
name of big money sec company here)
notices them, then you are way off. *knock, knock*

> > Also, full disclosure, including exploit code, frees you from the
> > obligation to believe in software vendor advisories and patches -
> > another critical issue, demonstrated again by the RPC/DCOM flaw:
> >    
>
> Exploit code *does not* solve the problem.  I can do just as well by
> providing no code, and just being descriptive with my details, as I can by
> providing code.  I've provided code with some advisories; this is not a
> practice I engage in any longer.  It really speaks poorly for the writing
> capabilities of the discoverer if they are incapable of offering sufficient
> detail to at least reproduce the flaw without providing exploit code.
> Exploit code, while it can conclusively prove that the vulnerability exists
> in a particular config, is not 100% accurate (offsets can be bad, for
> instance), and this can even create a false sense of security.  Further, you
> don't get any solution by running an exploit.
>  
Descriptive like "There exists a problem in the way XYZ handles FUBAR 
requests. The vulnerability
can be exploited remotely. Patches are available; apply immediately." ? 
mmkay...
I share your point of view about the false sense of security tho. 
Perfectly valid point.

> > Apparently, M$' fix doesnt really fix the problem to its full extent,
> > and in some cases, is believed to leave machines vulnerable to the
> > attack. Again, something which was to be discovered by END USERS loading
> > proof-of-concept exploits and trying them on their own systems. To me,
> > it makes no sense to blindly trust in a software vendor's patch, when it
> > has repeately been shown that software vendor's patches often do not
> > fully provide the anticipated security fixes.
> >    
>
> And exploit code, of course, fills that gap, right?  You are talking about
> two different things here.  MS03-026 certainly does mitigate the
> vulnerability at hand.  Also, you must remember that vendor patches are only
> designed to protect against vulnerabilities that immediately impact the
> system being patched.
Which part did you not understand? Failure of the RPC/DCOM patch to 
effectively address the vulnerability
was discovered only when end users ran * E X P L O I T  C O D E * 
against their own, patched
servers. It might not give you a solution to the problem, but at least 
*you know if the problem still exists*

> > Obviously, time has NOT yet come to say goodbye to full disclosure, and
> > doing so would leave end users at the fate of some sotware producers'
> > industry consortium to take care of OUR security - which they have
> > repeatedly shown to be incapable of.
> >    
>
> This depends on how you define Full Disclosure.  I strongly believe that
> details of vulnerabilities I find should be made available to the public.
> This is how I define Full Disclosure.  Most security researchers today have
> adopted the more rational viewpoint that Full-Disclosure does not require
> exploit code, as it has been proven many times (and will continue to be
> proven) that exploit code does far more damage than good.  I also feel that
> those who require that vulnerabilities be disclosed immediately (or after
> some other short period), are harming the concept.  The idea of Full
> Disclosure is that the public has the best opportunity for remedial action;
> this usually includes vendor fixes.
I do not oppose that the vendor should be notified with substantial 
information about a vulnerability,
and I do not oppose that there should be a time frame for the vendor to 
come up with a solution.

> In today's environment where every new vulnerability is a time bomb, we must
> balance the public's need to know with its requirement for suitable
> solutions.
>  
And who should balance? You?? After all, you are the "public". Unless 
your on someone's payroll to
post anti-FD FUD here, that is.

Cheers

--grid

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html