[Infowarrior] - Daily flaws ratchet up disclosure debate

[Richard Forno]

 Daily flaws ratchet up disclosure debate
Robert Lemos, SecurityFocus 2006-07-14
http://www.securityfocus.com/news/11400?ref=rss

HD Moore is used to polarizing the vulnerability-research community.

As the creator of the Metasploit Project, an open-source tool for automating
the exploitation of vulnerabilities, Moore has had his share of contentious
debates with other security professionals. However, his latest
endeavor--releasing a browser bug every day during the month of July--has
raised hackles on both sides of the security equation, among the black-hat
as well as white-hat researchers.

After the first week of flaws were released, one online miscreant from
Russia shot off an e-mail to Moore, complaining that he had outed a
vulnerability the Russian had been exploiting, Moore said.

"The black hats don't like that the fact that this is public because they
have been using these bugs," Moore said. "By dumping out the bugs on the
community, I'm clearing the air and letting the good guys know what others
are doing."

Yet, the release did not seem so altruistic to Microsoft, whose Internet
Explorer browser suffers from the lion's share of the bugs found by Moore.
The software giant indirectly criticized the release of vulnerabilities in a
statement to SecurityFocus, underscoring the importance of getting customers
updated before they are exposed to threats from malicious attackers.

"Microsoft continues to encourage responsible disclosure of
vulnerabilities," the software giant said in a statement sent to
SecurityFocus. "We believe the commonly accepted practice of reporting
vulnerabilities directly to a vendor serves everyone's best interests."

The software giant stressed that many of the flaws merely crashed the
Internet Explorer browser, while the more serious vulnerabilities were fixed
in the recent MS06-021 security update.

Other browsers had fewer flaws, Moore said. He discovered some issues with
Mozilla's Firefox had, but the group fixed them quickly, he said. Opera's
browser, at least the most recent version, stood up quite well

"Opera 8.5 fell apart ten different ways, but 9.0 looks pretty solid," he
said.

While Microsoft and other software makers have improved their relationships
with many flaw finders, other researchers have ratcheted up the pressure on
the companies to fix the vulnerabilities in their systems. After finding a
flaw in the online-application Web site of the University of Southern
California, security professional Eric McCarty decided to go public with the
issue to put pressure on the university and is now being prosecuted for
breaching the site's security. Another researcher, David Litchfield,
released descriptions of Oracle flaws, after the database maker failed to
patch the issues immediately.

In the most recent case, Moore had first warned software makers of the
threat posed by potential attackers using the tools, known as fuzzers.
Because response to the warning seemed slow, he decided to publicly release
many of the bugs, one each day in July.

The avalanche of browser flaws underscores the problems for software vendors
as fuzzers become more popular. The flaw-finding programs systematically
change the data sent to an application to see how the software reacts. In
many cases, bad data can cause an application to crash; other times, the
application's response to the mangled data reveals underlying security
flaws. HD Moore used five different fuzzers--all but one of which is
publicly available--to find hundreds of vulnerabilities in the major
browsers, he said.

"People now have a feeling about how things stand," Moore said. "There will
be five or six tools that they can run and find out what flaws potentially
could be exploited."

While the Month of Browser Bugs project has come under criticism, the
objections of the black hat community underscores why it is important.
Making the vulnerabilities known will prompt software developers and
defenders to respond to threats and secure their systems, said Peter Swire,
a professor at Ohio State University's Moritz College of Law.

"The attackers probably know about the vulnerabilities, the defenders have
not patched pervasively, so disclosure will tend to help the defenders,"
Swire said.

In a paper published in 2004, Swire argued that--while there are cases where
obscurity can help security--that's not the case for Internet-connected
computers. After informing the software maker and giving them time to patch
the problem, releasing the information helps overall security, he said.

"In many cyber applications, it makes sense to use openness," Swire said.
"The factors tilt towards openness because the attackers can attack
repeatedly, learn from the attacks and tell people about the attack. It is
different from many real world applications where they can get the plans for
the banks and that will help them with the attack because they know where to
step to avoid the alarm sensors."

Others have taken the issue of disclosure as an incentive to secure systems
to a more extreme degree. In a law note published in the Harvard Law Review
(PDF) last month, recent graduate Jonathan Lin argued that even acts of
cybercrime that do not cause major damage should be considered a benefit
because it helps secure the Internet, similar to disclosure.

"I think there should be a more nuanced approach to how we measure what are
the most damaging attacks," said Jonathan Lin, a recent graduate from
Harvard University's School of Law and the author of the note.

Focusing on the online vandals that do minor damage to systems through
attacks that highlight security risks may not be the best use of government
resources, he said. The result of such prosecution could be a far less
secure Internet, he argued.

"It is really difficult for the U.S. government to protect itself from
attacks that span the globe," he said. "So the centralized response of
prosecution is not going to be very effective--it feels almost like a lost
cause. We have to do something about it, but I feel that the effort is
focused on the wrong threat."

Looked at from an economic perspective, the enhanced security that comes
from disclosure--and some minor cybercrimes--is known as a positive
externality, a beneficial effect on the consumer from an event in which they
did not participate, said Eric Goldman, director of the High-Technology Law
Institute at Santa Clara University's School of Law. While online attackers
target vulnerable software applications, when the software maker offers a
program patch to close the security hole, the consumer benefits.

However, the flip side of the effect--so-called negative
externalities--typically outweigh the positive for acts such as cybercrime,
Goldman said.

"There is no real wealth created by the investments in security, it is just
a cost of everything we do in our lives," said. "When the (Harvard) article
argues that we create a social benefit, it could also be argued that the
person is creating a bunch of dead-weight losses that really don't benefit
society."

Certainly, software makers, who now have to run multiple data-fuzzing tools
against their software, may feel that way. The dramatic daily release of
bugs during July is a warning that the companies need to use data-fuzzing
tools to find application flaws before attackers find the weaknesses first.
The number of exploits of previously unknown flaws--called zero-day
exploits--detected by security firms has also, at least anecdotally,
increased dramatically over the last year.

And these tend not to be flaws that can easily be found by
researchers--fuzzer-found flaws tend to be somewhat obscure, Moore said.

"These weren't well-understood bugs," he said. "They are really strange
issues that it is really hard to understand, even after the fact. For
example, one ActiveX bug requires ten different variables be set."

Microsoft has made fuzzing part of its Software Development Lifecycle and
runs the tools, not just against browsers, but its other software as well, a
spokesperson said.

While Moore has grown somewhat tired of fuzzing, he is not done quite yet. A
yet-unreleased data-fuzzing tool has found a number of other vulnerabilities
in the current version of Internet Explorer, he said. He has not released
information on those issues, except to Microsoft, but plans to create a tool
so that system administrators can eventually check their systems for the
flaws.

CORRECTION: The article's discussion of Peter Swire's paper and position was
clarified to stress that he believes proper disclosure involves first
notifying the vendor, giving them time to fix the issue and then releasing
vulnerability information.