madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Indefinite vulnerability secrecy hurts us all

By | July 27, 2010, 10:17am PDT

Summary: Michal Zalewski: Indefinite vulnerability secrecy hurts us all by removing all real incentives for improvement, and giving very little real security in return.

Guest editorial by Michal Zalewski

When explaining why it is not possible to meet a particular vulnerability response deadline, most software vendors inevitably fall back to a very simple and compelling argument: testing takes time.

For what it’s worth, I have dealt with a fair number of vulnerabilities on both sides of the fence — and I tend to be skeptical of such claims: while exceptions do happen, many of the disappointing response times appeared to stem from trouble allocating resources to identify and fix the problem, and had very little to do with testing the final patch. My personal experiences are necessarily limited, however - so for the sake of this argument, let’s take the claim at its face value.

To get to the root of the problem, it is important to understand that software quality assurance is an imperfect tool. Faulty code is not written to intentionally cripple the product; it’s a completely unintended and unanticipated consequence of one’s work. The same human failings that prevent developers from immediately noticing all the potential side effects of their code, also put limits of what’s possible in QA: there is no way to reliably predict what will go wrong with modern, incredibly complex software. You have to guess in the dark.

follow Ryan Naraine on twitter

Because of this, most corporations simply learn to err on the side of caution: settle on a maximum realistically acceptable delay between code freeze and a release (one that still keeps you competitive!) - and then structure the QA work to be compatible with this plan. There is nothing special about this equilibrium: given resources, there is always much more to be tested; and conversely, many of the current steps could probably be abandoned without affecting the quality of the product. It’s just that going in that first direction is not commercially viable - and going in the other just intuitively feels wrong.

[ SEE: Skeletons in Microsoft's Patch Day closet ]

Once a particular organization has such an QA process in place, it is tempting to treat critical security problems similar to feature enhancements: there is a clear downside to angering customers with a broken fix; on the other hand, and as long as vulnerability researchers can be persuaded to engage in long-term bug secrecy, there is seemingly no benefit in trying to get this class of patches out the door more quickly than the rest.

This argument overlooks a crucial point, however: vulnerabilities are obviously not created by the researchers who spot them; they are already in the code, and tend to be rediscovered by unrelated parties, often at roughly the same time. Hard numbers are impossible to arrive at, but based on my experience, I expect a sizable fraction of current privately reported vulnerabilities (some of them known to vendors for more than a year!) to available independently to multiple actors - and the longer these bugs allowed to persist, the more pronounced this problem is bound to become.

[ SEE: Postcards from the anti-virus world ]

If this is true, then secret vulnerabilities pose a definite and extremely significant threat to the IT ecosystem. In many cases, this risk is far greater than the speculative (and never fully eliminated) risk of occasional patch-induced breakage; particularly when one happens to be a high-profile target.

Vendors often frame the dilemma the following way:

“Let’s say there might be an unspecified vulnerability in one of our products.

Would you rather allow us to release a reliable fix for this flaw at some point in the future; or rush out something potentially broken?”

Very few large customers will vote in favor of dealing with a disruptive patch - IT departments hate uncertainty and fire drills; but I am willing to argue that a more honest way to frame the problem would be:

“A vulnerability in our code allows your machine to be compromised by others; there is no widespread exploitation, but targeted attacks are a tangible risk to some of you. Since the details are secret, your ability to detect or work around the flaw is practically zero.

Do you prefer to live with this vulnerability for half a year, or would you rather install a patch that stands an (individually low) chance of breaking something you depend on? In the latter case, the burden of testing rests with you.

Or, if you are uncomfortable with the choice, would you be inclined to pay a bit more for our products, so that we can double our QA headcount instead?”

The answer to that second set of questions is much less obvious - and more relevant to the problem at hand; depriving the majority of your customers of this choice, and then effectively working to conceal this fact, just does not feel right.

[ SEE: Security engineering: broken promises ]

Yes, quality assurance is hard. It can also be expensive to better parallelize or improve automation in day-to-day QA work; and it is certainly disruptive to revise the way one releases and supports products (heck, some vendors still prefer to target security fixes for the next major version of their application, simply because that’s what their customers are used to). It is also likely that if you make any such profound changes, something will eventually go wrong. None of these facts makes the problem go away, though.

Indefinite bug secrecy hurts us all by removing all real incentives for improvement, and giving very little real security in return.

* Michal Zalewski is a computer security researcher. He has written and released many security tools, including ratproxy, skipfish and the browser security handbook.  He can be found at the lcamtuf’s blog and on Twitter.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

QA, Vulnerability, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 7 Talkback(s)

  • Strawman!
    Your half-year example is a straw-man. The average for the large software vendors hover around 60 days.

    Each day with a given vulnerability in a system incurs a certain risk that somebody have already discovered it and will be targeting you. Obviously, each day adds to the total risk.

    But the next day - barring partial or full disclosure - is not more risky than the day before .

    So what it comes down to is this: With no known attacks, would you rather prefer a full disclosure - severely increasing the likelihood of attacks until the vendor has a patch ready - or would you rather that the vendor acts in a timely manner (as fast as possible) where each day is not riskier than the one before?

    Your assertion that somehow "more money" will solve the problem is without basis in reality. Barring formal system development where correctness can be mathematically proved, all software will have bugs.

    However, you can encourage vendors to work more on software quality by buying/using the products with the fewer vulnerabilities.
    ZDNet Gravatar
    honeymonster
    27th Jul 2010
  • Not really a strawman...
    @honeymonster: You're lumping in all fixes to that average - not counting severity of exploitation, whether or not an exploit is even usable in the real world (that is, what chance of success does an exploit have against a random system?), or under what conditions the exploit can be run (local, remote, etc).

    Most vendors will prioritize accordingly. A remote exploit that can cause massive damage with little effort will obviously have a higher priority than a local-access exploit that requires a victim to download some trojan from a dodgy website, then type in an administrative password. An exploit that has too many moving parts will likely wind up in the bottom of the priority list no matter what (e.g. first the exploit has to insure that a certain program at a certain patch level exists, then hope that the user disabled a few obscure system protections, then hope they have more than 4GB of RAM, etc...)

    So yeah - the "average" may be 60 days, but Microsoft (among others) have had some pretty severe (and known) bugs that they have studiously kept sitting under the rug for upwards of 6 months to a year or more. All it would take is for someone not-so-white-hatted to find and utilize it.
    ZDNet Gravatar
    Random_Walk
    27th Jul 2010
  • RE: Indefinite vulnerability secrecy hurts us all
    hahaha omg this post, I love it replica watches
    ZDNet Gravatar
    lovedong
    13th Sep
  • Zero Days don't matter if
    you run Ubuntu with Firefox sandboxed in AppArmor.

    Well, they matter, but the urgency to take corrective action is 'lessened'.



    Have I said this before? I can't remember. wink

    Be safe.
    ZDNet Gravatar
    Dietrich T. Schmitz, ~ Your Linux Advocate
    27th Jul 2010
  • RE: Indefinite vulnerability secrecy hurts us all
    There are some trade-offs here - first, don't discount the risk of regression, especially if you have a very large number of customers. The updated executable may also contain a number of additional fixes, and if you don't test them together, things break. When things break, customers don't just automatically install the patch, and vuln-days climbs quickly.

    Remember that the people running the network fear downtime more than anything else.

    Next, we fix a bunch of issues that aren't weaponized. Basically, the bar is that if you can't prove it isn't exploitable, you fix it. I don't have numbers, but quite a lot of the things that get fixed never do get weaponized. While this is the right thing to do overall, from the customer/vendor standpoint, you're taking regression risk for minimal security gain.

    I'm somewhat doubtful that things get independently rediscovered very often. What I think is most often the case is the real finder shared the bug with 3 of their closest buddies, which quickly expands to a lot of people. This actually supports your argument that vendors should attempt to drive response times as low as practically possible - IMHO, true responsible disclosure is rare. I've also witnessed incidents where finders didn't really find anything, but just pretended that to a vendor, and incidents where the finder was responsible, but the company overall had leaks.
    ZDNet Gravatar
    dcleblanc
    27th Jul 2010
  • RE: Indefinite vulnerability secrecy hurts us all
    due to all the confusions, im adding the the truth that is intently hidden on my site at deepandcrazy.com

    im the one spreading the worm indirectly which started in aug 2008. still fighting it today untouched. i cannot format(low level) . it turns out that the hacker is a trusted employee of the department of transportation at the pentagon. a lot of the news on the worm is decoys from the truth. our machines were used to cause traffic to influence a law called with dns joint forces that may now be linked to spying. the botnet wasnt found till i was told to tell fbi i discovered a hackers ring after talking to the hacker.

    our phones are used to connect wirelessly using ad-hoc to the graphics memory from a pixel error that was from a fake copy of windstream. he later added httpproxy that linked graphics(including desktop icons) to remote location. the conficters were detectable on purpose while the main worm is injected. the traffic reports that showed china and amsterdam were fake. my connection(traceroute) said i live in amsterdam while my machine pings over 2000 ips per hour since feb 2009. im adding info to my site. graphics is a huge part of this worm.

    my site is www.deepandcrazy.com

    the spam was also fake, the strange emails with strange topic was linked to numbers as commands that initianted new parts of the worm. that was one way it was spreading. the other part used memory string pointer injections from every type of textbox such as this one. this showed the worm where to find info. the botnet(real but enhanced) was used to take blame for the traffic. also my phone system was used to spread the worm using dual band packet injections that affected all users. no one is safe from this worm.

    its still at full force untouched with the highest priority of being undetected. microsoft uses the worm and was part of it since day one. it seems a probe was part of it and combined with new technology and parts of worms and viruses as an art.

    they are covering up the truth by news media with psychological intents. they pretend to be concerned, yet making it more undetectable..
    ZDNet Gravatar
    antihacker101
    5th Aug 2010
  • when words and letters disapear or swich around, its caused by injected mem
    i noticed the law passed in my last message disapeared. this happened before due to the string pointer injections into text boxes. the law is called connected to the dns joint forces that appeared to be users of countys we are at war with such as saudi arabia. why is a hacker form pentagon talking to countys of war like best buds while using our machines as servers to talk and cover it up
    ZDNet Gravatar
    antihacker101
    5th Aug 2010

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here