Disclosure policy in Re: RealPlayer vulnerabilities

From: Martin Viktora (mviktora_at_KERIO.COM)
Date: 10/07/04

  • Next message: Andrew Aronoff: "Re: CWS = Crummy Windows Security"
    Date:         Thu, 7 Oct 2004 11:03:56 -0700

    Apparently, both Eeye Digital Research (US software security company)
    and NGS Software Ltd (a UK based research firm) claim credit for
    discovering the recent vulnerability in RealPlayer. This might not
    be as interesting as the fact how the two companies decided to inform
    about the vulnerability. While NSG took responsible approach, quote:

    > NGSSoftware are going to withhold details about these flaws for three
    > months. Full details will be published on the 6th of January 2005. This
    > three month window will allow users of RealPlayer the time needed to apply
    > the patch before the details are released to the general public. This
    > reflects NGSSoftware's new approach to responsible disclosure.

    Eeye went ahead and released technical details about the vulnerability
    just a few days after the vendor made the patch available. Many of you
    may remember another vulnerability disclosure made by Eeye in March 2004
    when they released technical information about a flaw in ISS security
    products (ICQ parsing module) that was followed by a "zero-day-attack", when
    in 36 hours a particularly damaging “Witty” worm struck users of ISS products
    (The worm damaged users’ data by writing over random hard disk sectors).

    Considering the scope of RealPlayer’s vulnerability - multiple products,
    multiple target user groups (from home users to enterprises), multiple
    platforms (Windows, Mac, Linux), this early release of technical data
    about the vulnerability gives hackers again a great window of opportunity to
    attack vulnerable systems.

    While I completely believe in "full disclosure" as the only way to ensure
    that software vendors take security seriously and act quickly to resolve
    security issues, even if it means that cyber criminals are given instructions
    how to write malicious code and attack, the security industry needs to
    cultivate the way how vulnerabilities are published.

    Vendors often need more than the typical 30 days ultimatum given by security
    researches. Depending on the scope and nature of the vulnerability a vendor
    may need more time to test the patch and make sure that it works correctly.
    And then there is the whole issue of delivering the patch to the customers.
    Even in the ideal case when the patch can be delivered relatively quickly via
    some kind of automated update system, many companies opt to test the patch
    internally and delay its deployment (as we saw with XP SP2).

    What I am calling for is that security researches take responsible approach
    in releasing information about security vulnerabilities, similar to NSG
    release policy. With zero-day-attacks, it is no longer possible that technical
    details are published about the same time the patch is made available.
    An industry accepted standard defining information release steps and time
    constrains is necessary here so that both vendors and customers are given
    enough time to make sure that they are secure before technical details
    (=instructions how to write malicious code) are released.

    Martin Viktora

    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.

  • Next message: Andrew Aronoff: "Re: CWS = Crummy Windows Security"

    Relevant Pages

    • Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities
      ... you wrote that I do not really believe in "full disclosure" ... Vulnerability is discovered and the vendor is notified. ... I am not talking about the absolute security. ... you say that vendors must work much harder at reducing patch ...
    • Re: Its not that simple... [Was: Re: [Full-disclosure] Disney Down?]
      ... PnP is not a show stopper when it comes to patch compatibility testing ... "Successful exploitation of this vulnerability could be leveraged to ... "If it had been International Paper or some company like ... > to take security matters more seriously. ...
    • Re: Download.ject - commentary - LONG
      ... > patch recently released by Microsoft. ... > vulnerability in question, but instead is just a partial workaround. ... > Granted these are known security best practices related to Internet ... > a new default browser to users and hope that it will be safe enough. ...
    • SecurityFocus Microsoft Newsletter #165
      ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
    • SecurityFocus Microsoft Newsletter #174
      ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...