Re: Vulnerability Disclosure

[Jonathan Leffler <jleffler () us ibm com>]

Matthew Steer <matt.steer () marstons co uk> wrote:
> I have been playing around with a program and have discovered a bug 
> that I have successfully leveraged into code execution. I reported 
> my findings to the vendor, not yet receiving a reply; this is the 
> first time I have done this. 
>
> The bug is in an installer and malicious input is crafted then 
> pasted into an input field which is copied into a buffer of 
> insufficient size. The conditions of the exploit seem a little 
> extreme to me, but it still results in code execution. 
>
> The fact that it is in an installer, hence most likely requiring 
> Admin rights, and is a local exploit the risk of this vulnerability 
> being exploited seems low (too me, not being a risk assessor!) . 
>
> This brings me to my question; 
>
> Should all vulnerabilities be disclosed to a vendor (at least!) 
> however high or low risk?
>
> I?ve never been a believer in ?Security through Obscurity?, but do 
> the people think there comes a point when it may just be a waste of 
time?
> To be honest; I hope not!

Can we check my understanding of your situation?

We have a Windows program installer - or is it Unix?
And the person running the install needs elevated privileges to run the 
install.
And, using the elevated privileges needed for the install, that user can 
trick the installer into doing something other than the intended install?

Wouldn't the person be able to do those things anyway?  So, is there an 
actual risk of exploitation by someone unauthorized?  If the person 
installing has the privileges to abuse their system and then subverts an 
installer into abusing their system, how much of a problem is it really?

...change of tack...

Speaking from the receiving end of such reports, yes, all (real) 
vulnerabilities should be reported.
And all reported vulnerabilities should be acknowledged - at least that it 
was received, and preferably that it was evaluated, understood, and proven 
correct or incorrect and what, if anything, will be done about it.  Which 
may take more than one response email, over a period of days to months. 
The initial response should be timely - within a week, say.  After that, 
it depends.  And it may be that it is not really worth fixing this 
particular problem - though it isn't a decision to be made lightly.

One major problem is knowing whether the report got through to someone 
able to asses and understand it.
And another is knowing how many other reports were received the same day 
(were the people receiving the reports completely overloaded).
And another is knowing whether the version you found the problem in is 
current, and indeed whether the problem reproduces in the current version.
However, and again speaking from experience, many of the problems found in 
old versions also manifest themselves in new versions.

-- 
Jonathan Leffler (jleffler () us ibm com)
STSM, Informix Database Engineering, IBM Information Management Division
4100 Bohannon Drive, Menlo Park, CA 94025-1013
Tel: +1 650-926-6921    Tie-Line: 630-6921
"I don't suffer from insanity; I enjoy every minute of it!"