Re: MSIE (mshtml.dll) OBJECT tag vulnerability

[bkfsec <bkfsec () sdf lonestar org>]

Tim Bilbo wrote:

> Setting aside analogies, the questions remain: Does full disclosure make
> the IT community as whole less secure than it would otherwise would be?
> Is it more dangerous to have a handfull of sophisticated blackhats
> lurking about with an unknown exploit vs. publishing it for every
> wannabe hacker to use?  I am confident that the answer is that fully
> disclosing discovered vulnerabilites without first giving the vendor a
> reasonable chance to address them is more harmful. 
I'm confident in saying that full disclosure does not make the IT 
community as a whole less secure.

My experience, both seeing the white hat and the black hat side of the 
community fence at different points in my life, is that the black hats 
will always have access to a certain substrata of information that those 
of us living in the world of light (i.e. not in a basement) will not 
have access to for some time.

The problem with your question is that you're ultimately setting up an 
example that doesn't fit reality.  The world you describe above is one 
where there are two tiers: Those with access to underground data and 
those without.  The script kiddies on the outside, in the world 
described above, don't have access unless it's disclosed in public.  The 
trouble is that the simplistic model doesn't represent reality.  There 
are many strata in the black hat world and information is used until 
useless and then dumped into the lower strata as cannon fodder.

What you do usually see with full disclosure (likewise with patching), 
which is ironically dragged out as an argument against full disclosure, 
is that when a flaw is disclosed, you do see script kiddies coming out 
of the woodwork making loud noises with automated bots mass-owning 
systems.  Is this the fault of full disclosure?  Nope.  It's 
inevitable.  There are no power structures in place to keep script 
kiddies from using what they find and making it their own.  Of course, 
there's the world of law enforcement, which is effective at apprehending 
them after they do the deed, but as a deterrent you have to consider the 
type of person being dealt with: A person who feels marginalized by 
society and power structures in real life, often lashing out with power 
they have gained in the online world through the sheer lack of security 
on the Internet in general.  The average script kiddie already has an 
inflated ego to counter the lack of self esteem they feel.  Law 
enforcement as a deterrent to this type of person is not as effective as 
other people because the script kiddie already believes that he can't be 
caught.

It's largely because of this multi-layer strata that we're talking about 
that makes your question somewhat moot.  Are we more or less secure with 
or without full disclosure?  Well, the question's pretty irrelevant now 
isn't it?  Disclosure will always happen.. .the question is who will be 
doing the disclosure. 

Is it worse to have a skilled, quiet hacker who knows what he's doing on 
your network using 0-days, or an army of clumsy script kiddies writing 
worms that don't work half the time clogging up networks for one or two 
days a year -- not even really affecting most of the Internet or people 
who are security-wise in the first place?

Personally, I think the more quiet, careful hacker is more dangerous.  
And in the end, it will always get out anyway... so you might as well 
bring it full circle sooner.  Vendor disclosure before public disclosure 
is nice, but does not notifying the vendor inherently make us less 
secure?  Well, I'd say not really.  We were already insecure to begin 
with... and a state of secrecy doesn't make us more secure.  It just 
means we don't know there's a problem that needs to be fixed.

            -bkfsec


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/