oss-sec mailing list archives
Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser
From: Hanno Böck <hanno () hboeck de>
Date: Sun, 26 Jul 2015 11:43:16 -0700
On Sat, 25 Jul 2015 23:01:28 +0200 Leif Nixon <nixon () lysator liu se> wrote:
Frankly, over the years I have seen pretty few people on the side of the angels complain that "But *why* didn't you include a weaponized exploit with your advisory? I feel so cheated!".
There were several occasions where I disliked that people didn't release their poc code in the past. Maybe I haven't complained enough about it publicly. (examples I can remember right away include BERserk - were now someone else created a poc - and zip password encryption flaws) Now there is sometimes a difference between a weaponized exploit and a testable one, but not always. I agree that it's not nice to release an exploit right away, but I greatly apprechiate if people release poc code at all. I think some best practice would be "release an advisory and pre-announce poc exploit with specified date, wait some time (maybe a week), release exploit".
In these situations, where an exploit for a new local root vulnerability turned up without prior warning, we typically started seeing root-level incidents within 24 hours. Have you ever tried to get big organizations, made up of a zillion independent entities, to apply security patches within a timescale of hours?
Now here I think your arguments get into a dangerous direction. Because it could be understood as that you'd take the lack of an exploit as an excuse not to patch fast. I think it's a crucial thing that can be learned from many of the high profile vulns we saw in the past years - patching time matters more and more. Just remember the drupalgeddon issue where it was later said that everyone who hasn't patched within 7 hours should be considered exploited. And I don't think there's any way to stop that. What we need to keep in mind I think is this: Basically there is no agreed procedure how to do "proper responsible disclosure". There are many opinions out there and as much as you may dislike it, you just have to be prepared for things happening. Some people will think releasing exploits right away is ok. If the bug finder doesn't, maybe someone else will release a working exploit within hours. Sometimes agreed upon embargo timelines will break because some PR person broke the embargo (yeah, qualys again). And you can't exclude the possibility that people will do even less nice things like releasing a working binary exploit without a patch and just let the IT sec community figure the bug out. (I'm actually surprised that these things don't happen more often.) None of that is desirable in my opinion, but it has happened and it will happen again. You have to be prepared for that. If you run important IT infrastructure make sure you have a plan to patch fast. And "fast" is hours these days. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser, (continued)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Kurt Seifried (Jul 23)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Martino Dell'Ambrogio (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Joshua Rogers (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Michal Zalewski (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Dave Horsfall (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Hanno Böck (Jul 26)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brandon Perry (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 27)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Ankeet Presswala (Jul 27)