Security Watch | Matt Hines » February 2007

February 27, 2007 | Comments: (0)

Fair Disclosure Debate Rages On

TAGS: Security

After I posted my story on Web browser vulnerabilities last week, I heard back from Polish researcher Michal Zalewski, who took umbrage with remarks made by Mozilla CSO Window Snyder that he had not informed the company about a new flaw in its Firefox software before taking the news public.

Zalewski said that he had in fact posted details of the problem -- which involves a memory corruption issue -- on Mozilla's Bugzilla forum, and submitted similar details to the company via e-mail, before outing the problem on the BUGTRAQ security research mailing list.

Pushed further, Zalewski admitted that his communications with Mozilla came just prior to making his BUGTRAQ post, and didn't leave much time for the firm to create a security update to help fix the issue for end users.

"It was certainly too short for Mozilla to develop patches, but the fact there was a notification simply means it was incorrect to use the phrase 'makes his work public before informing Mozilla," Zalewski said in an e-mail. (For the record, those exact words he quoted were mine, not Snyder's, but she had said as much in our phone interview)

Snyder agreed with Zalewski's assessment, saying in her own follow-up e-mail that such short notice doesn't leave much room for Mozilla, or anyone else, to make things right from a coding perspective.

"It wasn't enough time for us to do anything before the information was made public," Snyder wrote, while noting that Mozilla appreciates the researcher's work (a point she repeatedly made in our previous interview). "Even if we disagree about disclosure," the CSO said.

The episode further illustrates the disconnect that exists between security researchers and software makers on the topic of vulnerability disclosure. Zalewski clearly feels it's OK to detail problems that have existed in vendors' products for some time without being addressed, while Snyder would simply like more time to deal with such issues before they're made public.

This is the catch-22: Security researchers like Zalewski worry that if they allow software vendors to sit on problems without fixing them, the best interests of end users -- who remain unprotected and uninformed in the interim -- are not being served.

Executives at product companies like Mozilla's Snyder say they don't mind the criticism, and in fact encourage it, but hope they could have a little more time to create patches or other support for end users before malware writers start assailing the published flaws.

It's a complex issue that remains open to a great amount of debate. Should researchers work more closely with vendors? Should customer security rise above all other concerns? Can these parties establish a more formal process with hard deadlines?

Unsurprisingly, Zalewski says that at least open source companies like Mozilla do a better job of responding to his communications, along with attempting to fix problems and inform end users, than those who build more proprietary products, like say Microsoft.

"Most [open source] folks are quite willing to cooperate and feel that the process of fixing problems should be completely open; some don't, but in most cases, it's a matter of ego, not business," wrote the independent researcher. "Now, as far as commercial vendors go - [it] all depends. Some are nice. Some want to sue researchers back to hell. Some occupy a middle ground."

Meanwhile:

"Microsoft, for example, though generally willing to engage in a public security research and disclosure process, is frequently criticized for a couple of offenses that aren't particularly grave, but cumulatively, don't paint a rosy picture," Zalewski said.

What's abundantly clear from the Zalewski-Mozilla exchange is that leading security researchers will continue to walk a fine line in terms of reporting what they find, and keeping vendors in the loop, while the software makers have goals of their own in fostering changes to the process.

Until both sides reach some sort of compact, this current situation may be the best we can hope for.

"For vulnerabilities that are not immediately exploitable to have a profound and deep impact on the Internet, I try to follow the practice of full disclosure," said Zalewski. "This is a controversial method, but one I find fair to the general public - and I don't see my vulnerabilities turned into malicious code more often than "responsibly" disclosed ones are - I do, however, see them fixed faster and with a more open public debate."

Posted by Matt Hines on February 27, 2007 11:17 AM

February 26, 2007 | Comments: (0)

New faces on Zero Day

TAGS: Security

Well, since I'm spending so much time on teaching, travel, clients and writing for other magazines (not to mention getting a few winks of sleep now and again) InfoWorld has decided to add some relief pitchers for me now and again.

What's this mean for you, the diligent and die-hard Zero Day reader? Well, you get world class writers filling in for me when I'm not around. I'm told it will be news editor Paul Roberts, who I respect highly, and InfoWorld's new security news editor Matt Hines. While I haven't met Matt in person yet, he knows his stuff and won't steer you wrong. Not to mention that he works full time for IW and has the time to get you more breaking news than I can.

So, you'll get the straight and narrow stuff from Matt and Paul, and you'll still get the crazy in the field stuff from me.

And yes, to all who've asked in person, via phone and email - I'll be writing more this year. So hold on to your collective seats, 'cause we'll continue down that track that is the information super farm road, security potholes and all.

Posted by Victor R. Garza on February 26, 2007 02:55 PM