Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 26 Jul 2015 11:43:16 -0700
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245
 userhelper - CVE-2015-3246 libuser

On Sat, 25 Jul 2015 23:01:28 +0200
Leif Nixon <nixon@...ator.liu.se> wrote:

> Frankly, over the years I have seen pretty few people on the side of
> the angels complain that "But *why* didn't you include a weaponized
> exploit with your advisory? I feel so cheated!".

There were several occasions where I disliked that people didn't
release their poc code in the past. Maybe I haven't complained enough
about it publicly. (examples I can remember right away include BERserk
- were now someone else created a poc - and zip password encryption
flaws)

Now there is sometimes a difference between a weaponized exploit and a
testable one, but not always.
I agree that it's not nice to release an exploit right away, but I
greatly apprechiate if people release poc code at all. I think some
best practice would be "release an advisory and pre-announce poc exploit
with specified date, wait some time (maybe a week), release exploit".

> In these situations, where an exploit for a new local root
> vulnerability turned up without prior warning, we typically started
> seeing root-level incidents within 24 hours. Have you ever tried to
> get big organizations, made up of a zillion independent entities, to
> apply security patches within a timescale of hours?

Now here I think your arguments get into a dangerous direction. Because
it could be understood as that you'd take the lack of an exploit as an
excuse not to patch fast.

I think it's a crucial thing that can be learned from many of the high
profile vulns we saw in the past years - patching time matters more and
more. Just remember the drupalgeddon issue where it was later said
that everyone who hasn't patched within 7 hours should be considered
exploited. And I don't think there's any way to stop that.

What we need to keep in mind I think is this: Basically there is no
agreed procedure how to do "proper responsible disclosure". There are
many opinions out there and as much as you may dislike it, you just
have to be prepared for things happening. Some people will think
releasing exploits right away is ok. If the bug finder doesn't,
maybe someone else will release a working exploit within hours.
Sometimes agreed upon embargo timelines will break because some PR
person broke the embargo (yeah, qualys again). And you can't exclude
the possibility that people will do even less nice things like
releasing a working binary exploit without a patch and just let the IT
sec community figure the bug out. (I'm actually surprised that these
things don't happen more often.)

None of that is desirable in my opinion, but it has happened and
it will happen again. You have to be prepared for that. If you run
important IT infrastructure make sure you have a plan to patch fast.
And "fast" is hours these days.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.