[VIM] Responsible Disclosure Article

[Heinbockel, Bill]

Continuing the discussion surrounding vulnerability disclosure
from the roundtable at Blackhat, Security Focus has an article
with feedback from vendors and some researchers (Litchfield, HDM).

"Disclosure survey" - Federico Biancuzzi
http://www.securityfocus.com/columnists/415

Generally, I agree with the comments of Michal Zalewski.
In an ideal world, responsible disclosure is the best route. However
for responsible disclosure to work, requires support from both the
researcher and the vendor.

My two biggest problems concerning practical responsible disclosure
are:

1. Vendors need time to find, address, and fix the problem. During this
period all systems all vulnerable, which seems to be alright assuming
the
researcher is the only one who knows about the vulnerability. So, how
often do you think this assumption is false? Let's take the most recent
Apple advisory for QuickTime (APPLE-SA-2006-05-11) - for CVE-2006-1249
concerning the integer overflow in FlashPix images, Apple credits two
different, probably independent researchers. If two people reported to
Apple how can we be certain that no one else is already active
exploiting
it?

2. System administrators need information in order to secure and patch
their systems. With the most recent rash of Microsoft Office 0-days,
system admins can respond with notifying their users and blocking
attachments at the e-mail server. While this will not eliminate the
threat,
it will cut the chances of exploitation. Furthermore, when patching
systems, administrators need to know the patch details to determine
their
response. Is it critical and must be deployed immediately? Are we even
affected by this? In the case of Oracle CPUs, DBAs are left empty
handed.
Database regression testing is costly and could be reduced if the
vendor
kept up their end of responsible disclosures.



William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615