Re: Public disclosure of discovered vulnerabilities
From: Stephen Sprunk (stephen_at_sprunk.org)
Date: Wed, 18 May 2005 13:38:29 -0500
"Andi Kleen" <email@example.com> wrote in message
> "Stephen Sprunk" <firstname.lastname@example.org> writes:
> > In contrast, one vendor I worked with would fix security bugs and
> > ship patches (without telling customers what they fixed) as quickly
> That seems like a bad strategy because software patches can be
> usually relatively easy reverse engineered. Disassembling a big
> program is quite tough because it is so much code, but just looking
> at some differences to an earlier version of the image is much easier.
> So a blackhat just needs to watch the new patches and then use the
> exploits before all the customers know about it and updated their
> systems. Worst of both ways.
I was deliberately omitting details because I thought they'd obscure the
point, however it appears that was a bad idea.
The vendor in question releases code only as a complete system image,
and they do so every few weeks. Each release has hundreds, if not
thousands, of changes to it and only a handful (if any) are related to
security. An attacker would have to disassemble the code for every
release, track down every change, determine whether or not each had
anything to do with security, and then come up with an exploit before
most customers had upgraded. Certainly possible, but not terribly
likely. And, if someone did publish details of a hole that was found
this way, all the vendor would need to do in return is publish the
notice immediately (instead of sitting on it for six months) since the
code with the fix was already released.
-- Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov