[Dshield] Security Firm May Stay Mum on Vulnerabilities in theFuture

Roger A. Grimes roger at banneretcs.com
Tue Aug 9 03:24:08 GMT 2005


I don't want to start a flame war, but I'm in the small camp that
doesn't necessarily see the big benefit of public disclosure. I found
dozens of serious bugs over the years and reported them to vendors who
usually fixed them. Some fixed them right away, some took awhile, and a
few have never been closed.  But that's okay, I don't need the bragging
rights, and most of the bugs were fixed without a single PUBLISHED
exploit.  On a few ocassions, the bugs were fixed because the vendors
thought they were features and not security risks.  Two examples are
NTFS alternate data streams and macro viruses. AV vendors (Paul, you
know this better than anyone) knew about these exploit avenues years
before the first public exploit came out.  By not public disclosing
them, the vast majority of the world may have slept with false comfort,
but they also probably didn't get compromised.

All I see is public disclosure after public disclosure, followed by POC
and new worms in days.  I've yet to find evidence of a non-disclosed
zero-day exploit used to compromise my computers, but I've got 18 years
of history of malware that was successful against client machines after
the public disclosure was made.

I'm not even arguing about how public disclosure does force vendors to
respond sooner than they otherwise would. I'm just saying that in
practical work hours wasted fighting malware, public disclosure has
NEVER been my friend.

Just my one half cent.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger at banneretcs.com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****



-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Fergie (Paul
Ferguson)
Sent: Monday, August 08, 2005 1:21 PM
To: list at lists.dshield.org
Subject: [Dshield] Security Firm May Stay Mum on Vulnerabilities in
theFuture

I can assure you, that if this company (or any others) follow through on
their promise not to disclose vulnerabilities that they might find to
the public, there will be a backlash like no one will believe is
possible.

Paul F. Roberts writes in eWeek:

[snip]

The security research company responsible for discovering a software
hole later used by the Slammer worm is considering an end to its policy
of publishing details of vulnerabilities to public forums.

Next Generation Security Software Ltd., a Surrey, England, company
founded by brothers David and Mark Litchfield, is weighing a change that
would keep details of software vulnerabilities between NGS and the
software vendor affected.

The change in policy, which is still under consideration, comes amid
heightened debate about the practices of independent security
researchers after a former employee of Internet Security Systems Inc.
revealed details of a serious hole in Cisco Systems Inc.'s Internet
Operating System, which is run by many of the machines that make up the
Internet's critical infrastructure.

[snip]

http://www.eweek.com/article2/0,1759,1843819,00.asp

- ferg

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet  fergdawg at netzero.net or
fergdawg at sbcglobal.net  ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list