Date: Sun, 26 Jul 2015 11:43:16 -0700 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser On Sat, 25 Jul 2015 23:01:28 +0200 Leif Nixon <nixon@...ator.liu.se> wrote: > Frankly, over the years I have seen pretty few people on the side of > the angels complain that "But *why* didn't you include a weaponized > exploit with your advisory? I feel so cheated!". There were several occasions where I disliked that people didn't release their poc code in the past. Maybe I haven't complained enough about it publicly. (examples I can remember right away include BERserk - were now someone else created a poc - and zip password encryption flaws) Now there is sometimes a difference between a weaponized exploit and a testable one, but not always. I agree that it's not nice to release an exploit right away, but I greatly apprechiate if people release poc code at all. I think some best practice would be "release an advisory and pre-announce poc exploit with specified date, wait some time (maybe a week), release exploit". > In these situations, where an exploit for a new local root > vulnerability turned up without prior warning, we typically started > seeing root-level incidents within 24 hours. Have you ever tried to > get big organizations, made up of a zillion independent entities, to > apply security patches within a timescale of hours? Now here I think your arguments get into a dangerous direction. Because it could be understood as that you'd take the lack of an exploit as an excuse not to patch fast. I think it's a crucial thing that can be learned from many of the high profile vulns we saw in the past years - patching time matters more and more. Just remember the drupalgeddon issue where it was later said that everyone who hasn't patched within 7 hours should be considered exploited. And I don't think there's any way to stop that. What we need to keep in mind I think is this: Basically there is no agreed procedure how to do "proper responsible disclosure". There are many opinions out there and as much as you may dislike it, you just have to be prepared for things happening. Some people will think releasing exploits right away is ok. If the bug finder doesn't, maybe someone else will release a working exploit within hours. Sometimes agreed upon embargo timelines will break because some PR person broke the embargo (yeah, qualys again). And you can't exclude the possibility that people will do even less nice things like releasing a working binary exploit without a patch and just let the IT sec community figure the bug out. (I'm actually surprised that these things don't happen more often.) None of that is desirable in my opinion, but it has happened and it will happen again. You have to be prepared for that. If you run important IT infrastructure make sure you have a plan to patch fast. And "fast" is hours these days. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ