Defenders of the faith (Tavis acted responsibly)

Defenders of the faith (Tavis acted responsibly)

Summary: Lurene Grenier: Tavis Ormandy has protected high-value targets by refusing to allow Microsoft an unreasonable timeline for patching.

TOPICS: Security

Guest editorial by Lurene Grenier

Quite recently, Tavis Ormandy released a 0-day vulnerability in a prominent piece of software. For this transgression, both he and his employer received a good deal of bad press. Sadly, very few in the professional security researcher crowd made enough noise about this, and to the contrary, one man in particular came down squarely against him. Thankfully however we still have Brad Spengler. Last night he posted what none of us had the courage to say.  

I won't rehash the post, I'd very much rather you read it yourselves. But I would like to point out the timeline.

  • June 5: Tavis contacts Microsoft requesting a 60-day patch timeframe.
  • June 5-9: Tavis and Microsoft argue about the patch timeframe and are unable to come to an agreement.
  • June 9: Tavis releases the information to the public.
  • June 11: Microsoft releases an automated FixIt solution.

Tavis did not "give Microsoft 5 days to patch the bug" as was said by various media outlets.

Windows XP zero-day under attack; Use Microsoft's "fix-it" workaround ]

follow Ryan Naraine on twitterAs a few prominent security researchers (Dino Dai Zovi, Chris Wysopal) have pointed out, this strikes at the heart of the term "Responsible Disclosure". A clever branding trick by software vendors, the term automatically assumes that any other method of disclosure is irresponsible. So we must ask, were the actions that  Tavis took responsible? Would it have been more responsible to allow a company to sit on a serious bug for an extended period of time? The bugs we are discussing are APT quality bugs. Disclosing them removes ammunition from APT attackers. If your goal is to stop attacks, where bugs are the supply chain of attacks, you must make bug and exploit creation prohibitively expensive as compared to the return on that investment. This is why OS mitigations are helpful. Removing high-value bugs from the marketplace is what full disclosure is good at.

I'd like to explicitly debunk a couple of myths related to this issue now.

Myth 1: Targets are a commodity. (All targets carry the same value)

At some point, the security posture of common software is no longer about your mother's Windows XP desktop with a CRT monitor from 8 years back. It is not about the money wasted when sales people's laptops need to be reimaged. It is about real security. It is about the financial information of your public company. It is about the plans for Marine 1 ending up in the hands of people who shouldn't have them. It is about the stability of our power grid.

This is because when a vulnerability becomes public it is no longer as useful for serious attackers. Defense companies provide detection and prevention mechanisms, researchers provide useful mitigations, and high end companies are able to arm their response teams with the information necessary to protect their particular environments. The companies with high-value data that are regularly attacked are able to proactively protect themselves. The attackers who have spent significant time evaluating a company's vulnerability with regard to a particular bug, will now find that bug to be much less useful for a stealthy attack. Yes, you may see an uptick in attacks, but you see a downtick in overall target value. The loss due to a 20+ company exploit spree such as "Aurora" is significantly greater than the monetary loss due to low-end compromises which can be cleaned with off the shelf anti-virus tools. No one is persistently using advanced exploitation techniques against low-value targets such as Joe's Desktop. These attacks are focused on large corporations, government, and military targets with the goals of industrial espionage and military superiority.

Googler releases Windows zero-day exploit, Microsoft unimpressed ]

Myth 2: Only Tavis knew about the bug

The media asks, "how could attackers know about this flaw if Tavis hadn't released it?" Every bug hunter knows this statement is ridiculous. Security research, like all scientific research, moves like a flock of birds. I'm relatively sure that Leibniz wasn't spying on Newton's work, but they both developed calculus at the same time. They both had the same environment and the same problem to solve, so they developed the same working solution. I'm sure I'm not the only researcher to have lost bugs to another researcher's reporting. Within the past year I have lost several bugs which on the market would have sold for in excess of $65,000. At the point in which the bugs became public, their value dropped to approximately $0 because companies are able to build protections against the vulnerabilities. The bugs that I lost were bugs that had lived for more than five years, yet they were discovered independently by myself and others within months.

Even if no one else had found the bug, there are other ways an attacker could become aware of it. It would be unreasonable to assume that high-end researchers and their companies are targets of espionage. The value of their research is high, and if an attacker can get a free exploit and know that it won't be patched in the next 60 days, that is a win for the attacker. It is unreasonable to assume that a bug is not known to attackers once it is found by a researcher. Tavis has protected high-value targets by refusing to allow an unreasonable timeline for patching. Tavis has devalued the vulnerability by letting companies know about a threat that they otherwise would have been unaware of.

Tavis has acted responsibly.

The long and short of this is that when only a handful of people have information, that information is very valuable and very useful. When everyone has this information, everyone can use it, but its value decreases significantly. Tavis simply devalued this flaw. Yes, what Tavis did means you might have to reimage your mother's computer when you visit at Thanksgiving. But also, what Tavis did means that you won't think twice about whether or not the power will be on when you get there. Despite branding, what Tavis did was responsible.

In this case, "responsible disclosure" wouldn't have been responsible.

* Lurene Grenier manages the analyst/research team for the Sourcefire VRT and is an active developer on the Metasploit Framework team. Her primary research revolves around the automation of exploit development when paired with intelligent fuzzing frameworks. She is an expert in reverse engineering, and has taught numerous well known professional security teams the skill. She was also responsible for the disassembly and patching of the high-profile Adobe Acrobat Reader JBIG2 0-day vulnerability.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • microsoft is irresponsible not the exploit finders

    MS sits on dangerous bugs for months because they don't care. release all exploits ASAP and for MS to deal with them ASAP. MS is as bad as BP... their bs responses of proper fire walling etc etc are just irresponsible. port 80 is ALLOWED both ways 100% so don't tell people things are OK if you have proper firewalling.
    • sort of.

      @bspurloc: To be fair, fixing a bug does require testing. OTOH, 60 days is certainly not an unreasonable timeframe for a company of Microsoft's size and resources.
    • You know nothing of the patching process.

      @bspurloc You can slap together a patch and risk breaking large numbers of systems or you can thoroughly test the patch and release it when the process is completed. Characterizing due diligence before releasing a patch as "sitting on a bug" is ridiculous.
      Lester Young
      • As a formeer QA Engineer

        @Lester Young
        I can only agree whole heartedly. The question of how long is reasonable and how long is too long is a tough one, though.
      • Exposure motivates

        @Lester Young: I know from experience that Microsoft has, in the past, "sat on" many bugs for years until it was either exposed or exploited in a very visible way. It's worse when the weakness is in an interface that some element of the Office suite depends on.

        I cannot, for contractual and NDA reasons, disclose what I identified in 1995 that was still exploitable in Windows2000. I will say that it was a design flaw, not an unchecked buffer or other such software quality issue.
        • Reported as spam?

          Moderator: Please make it possible for an examination of postings "reported as spam" because sometimes someone doing the reporting has ulterior motives; I posted a completely factual and non-confrontational response but had a grammatical error; I went back in to edit it, and when I tried to save it, I found that it had been "reported as spam"; I suspect I know who did it, but it was not spam.
  • Well...

    Odd that it took a guest writer for zdnet to get to having something thought through presented. Still, potentially clickbait, but hey. Kudos for a decent attempt.
    • RE: Defenders of the faith (Tavis acted responsibly)

      @zkiwi: Agreed. It's good to see something reasonable for once.
  • RE: Defenders of the faith (Tavis acted responsibly)

    No, he did not act responsibly. The moment he made this information public he was irresponsible for his actions. There was absolutely no reason for him to do so and he should have continued to work with Microsoft on this matter. And because of him and him alone exploits were created shortly after. Explain to me again how that is being responsible instead of waiting for Microsoft to investigate the problem and issue the proper fix. I'm listening.
    Loverock Davidson
    • RE: Defenders of the faith (Tavis acted responsibly)

      @Loverock Davidson
      You're really Steve Ballmer, aren't you?

    • RE: Defenders of the faith (Tavis acted responsibly)

      @Loverock Davidson: Who is more irresponsible - the guy who finds a bug, wants a 60-day timeline to fix it, then discloses it when the vendor refuses, or the vendor who prefers to hope that it won't get exploited in the meanwhile, and basically does nothing?
      • RE: Defenders of the faith (Tavis acted responsibly)


        Horse pucky. Whatever Microsoft did or didn't do doesn't excuse this guy from telling bad guys how to do people harm. Blame MS all you want, it's end users who get hurt, not them. If you leave for vacation without locking your door - clearly your fault and no one else's - will you appreciate your neighbor advertising your address in the newspaper?
      • In this case, I think LD is right...

        @Random_Walk Quite simply, he should have continued trying to work with Microsoft--with the clear statement that he would be making his discovery public at the 60-day mark; fix or no fix. For too long have the OS creators sat on issues undeclared. I understand the reasoning behind not announcing an issue before the fix, but for a company to sit on a known issue for more time than it takes to fix it merely leaves it open for more exploits to garner data undetected.

        Maybe an arbitrary time period should be set. Upon discovery of a bug, hole, whatever..., the owner of the faulty software is given 90 days before the fault is made public. After that, they have to worry about just how long it will take someone to exploit that fault.
      • RE: Defenders of the faith (Tavis acted responsibly)

        @Random_Walk Then why didn't he wait 60 days? And why did he not just warn of the exploit's existence, as opposed to giving full details on how to implement the exploit, including source code!

        For the first time ever, I tend to agree with Loverock, apart from the bit about "And because of him exploits were created shortly after."

        There Ryan has the upper hand. There isn't anything to say that others weren't working on it as well, others might have eventually come up with the same exploit. That said, Tavis was a complete berk for releasing the source code and detailed description.

        It is one thing giving administrators and security experts enough information to arm themselves against possible attack, but it is totally irresponsible to put the exploit code out into the wild!
    • RE: Defenders of the faith (Tavis acted responsibly)

      @Loverock Davidson

      Yeah and because of him and him alone a patch will be coming as well. MS is a narcoleptic elephant, we all know that. If you want it to move you gotta poke it HARD.
      User 13
      • How do you know that?

        @User 13 "...because of him and him alone a patch will be coming as well."

        The patch was being worked on before the disclosure.
        Lester Young
      • @Lester Young:

        If they were already working on it, why not just simply TELL HIM that? The 60 Day request he made would've been moot, and he would have had NO reason to disclose the bug.

        MS is famous for sitting on bugs for YEARS without fixing them. What this guy did was indeed responsible.
    • RE: Defenders of the faith (Tavis acted responsibly)

      @Loverock Davidson
      " I'm listening."

      No, you are not.
    • RE: Defenders of the faith (Tavis acted responsibly)

      @Loverock Davidson

      I agree with "waiting for Microsoft to investigate the problem and issue the proper fix." The Windows install base is enormous. They can't just whip up a patch and send it out without extensive testing. McAfee recently released an update and crashed thousands of computers because it wasn't tested on XP SP3 (if I remember the ZDNet articles correctly). Granted that's an unbelievable lapse in QC but it's the same principle.

      "The long and short of this is that when only a handful of people have information, that information is very valuable and very useful. When everyone has this information, everyone can use it, but its value decreases significantly."

      This statement is crazy when applied to an unpatched vulnerability.
  • Intelligent, thoughtful article

    When corporate America comes up with branding campaigns like "responsible disclosure" it always amazes me how many sheep jump on the bandwagon. The best cure for software bugs is no different than the best cure for other failures...lots and lots of sunlight. Without full and timely disclosure all we've got is a handful of people who know about a vulnerability...and most of those people are probably either working on an exploit or are already exploiting the vulnerability.