Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities

From: Matthew S. Cramer (mscramer_at_ARMSTRONG.COM)
Date: 10/08/04

  • Next message: Patrick Trapp: "Re: Disclosure Debate - yet again"
    Date:         Fri, 8 Oct 2004 16:43:43 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    On Fri, Oct 08, 2004 at 10:43:02AM -0700, Martin Viktora wrote:
    > Drew,
    >
    > First, you wrote that I do not really believe in "full disclosure"
    > even though I clearly stated I am for it. I find it a little bit
    > difficult to argue on that level of reasoning, but please allow
    > me to clarify what I tried to propose anyway: I truly believe that
    > vulnerability disclosure should follow these steps:
    >
    > 1. Vulnerability is discovered and the vendor is notified.
    >
    > 2. In time X, vulnerability existence is publicly announced
    > without giving specific details. Users are urged to apply the patch.
    >
    > 3. In time Y, vulnerability???s technical details are disclosed.
    >
    > While this approach might not provide benefits in all cases, it
    > certainly should not hurt either. We can of course argue what are
    > the appropriate times X and Y but that would be for another
    > discussion and I would be happy if we got there.

    This behavior *CAN* most certainly hurt. In an organization of
    sufficient size and complexity, rolling out patches is an expensive
    process. Both patching itself, and also dealing with all the
    things that break after the patch, cost the company a great deal
    of money.

    The problem is that with this limited-disclosure procedure I don't
    know how the vulnerability works, so I don't know whether or not I am
    vulnerable. I have to make these decisions for a Fortune 1000
    company, so it kind of makes a difference. Do I have adminsitrators
    drop their other efforts to deploy patches? Or can it wait? If I
    don't understand the vulnerability, then I don't understand if the way
    we use the software puts us at risk. I also can't identify any way I
    can mitigate the risk in some manner more simple or cost-effective
    than patching.

    The idea that every piece of software is patched immediately upon news
    of a patch is silly for large corporations. I don't need to be told
    we should patch, so those offering that insight should stay with their
    home LANs or small shops where they aren't struggling with 5000
    different PCs in 500 difference configurations. If I had infinite
    money we'd patch everything all the time, but I don't, so we can't.
    Knowing which patches require my immediate attention is based upon
    reviewing vulnerability details, and doing a risk assessment of our
    environment.

    The limited disclosure approach tells the bad guys where to look, and
    leaves the good guys left to gamble. If this continues to become more
    popular it will certainly not be good for security professionals.

    [...]

    Matt

    --
    Matthew S. Cramer <mscramer@armstrong.com>          Office: 717-396-5032
    Infrastructure Security Analyst                     Fax:    717-396-5590
    Armstrong World Industries, Inc.                    Cell:   717-917-7099
    --
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    --
    

  • Next message: Patrick Trapp: "Re: Disclosure Debate - yet again"

    Relevant Pages