« Social dynamics | Main | Everything begins with choice - Chapter 1: Filesystems »
August 20, 2005
Responsible or irresponsible, that is the issue
The debate over the right to so-called irresponsible disclosure continues.
Several days ago, the FrSIRT published the code for a 0 day exploit in a less popular Internet Explorer plugin, 'msdds.dll'. FrSIRT claims to have received the exploit from an anonymous source.
Microsoft issued a statement on this bug, in which they are saying:
Microsoft is investigating new public reports of a possible vulnerability in Internet Explorer. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time. Microsoft is aggressively investigating the public reports.
Besides the above statement, Microsoft was reported to be actively criticising the way the vulnerability was disclosed. I tend to agree with them on this issue and in general.
For instance, about a week ago, Dr. Peter Bieringer (pbieringer at aerasec.de) reported a vulnerability in Kaspersky AntiVirus Unix/Linux File Servers that can be used to obtain local root access. Oops! Being a local exploit, the impact of this is not too severe, however, it still is a serious issue for any security company. Dr. Bieringer reported the vulnerability to our TS, and waited until a patch was released before going public. This allowed us to investigate the matter, to produce the patch, to properly test it and release it to the public. Then he went ahead and posted a public note about his findings. This is responsible disclosure.
On the other hand, there is no doubt that irresponsible disclosure - highly praised by some supporters of the freedom of speech and such who lack any perception at all - is here to stay.
Whenever this happens, especially with severe vulnerabilities, the first to suffer from it are the users; either somebody writes some malware which uses the vulnerability to spread, or cybercriminals begin using the exploit to gain access to confidential data. The company at fault suffers as well - they have to rush to come out with a patch, most of the time without sufficent testing. I remember an older statistic, during the '90s, which said that for every three bugs you fix, a new one is added. My coding experience falls in line with these numebers.
The minor advantages of irresponsible disclosure thus become irrelevant in the light of the many negative ways in which the information can be missused. I even dare saying that irresponsible disclosure is a direct and premeditate way to harm the users and the developer of the software in question. And premeditation in any type of crime offers no excuse at all towards the actions.
So let's not confuse the freedom of speech with irresponsability and the premeditated crime with infantile stupidity.
Oh, and almost forgot. Is there any reason at all to use Internet Explorer to browse the web these days?
Posted by Costin Raiu at August 20, 2005 3:54 PM
Comments
Regarding to responsible disclosure I agree with you.
> Oh, and almost forgot. Is there any reason at
> all to use Internet Explorer to browse the web
> these >days?
Yes, there's, it's just business. Do you know any antivirus/security company that loudly says to their customers: "do not use IE"? Even anti-spyware coalition in their definitions document (http://www.antispywarecoalition.org/definitions.pdf) didn't mention the possibility of switching to safer browsers. IMHO, it's the easy answer: it's just business.
Posted by: vinicius at August 21, 2005 8:11 PM
> Yes, there's, it's just business. Do you know any antivirus/security company that loudly says to their customers: "do not use IE"?
Actually, I do. :-) We've been doing that on a regular basis, in our weblog at viruslist.com.
Every time I've been writing about a new vulnerability in IE or to announce a new release of Firefox, I've also been trying to tell our readers to stop using IE and consider more secure options, such as Opera or the above-mentioned FF. I know there are websites which only work with IE (eg. my e-banking account or Microsoft's Secure File Exchange website) but other than that, there is no reason whatsoever to use IE to browse the web.
On the other hand, some say IE7 will be better. I'm looking forward to that, even if I'm kind of skeptic - too much of the Internet Explorer vulnerabilities are not actually vulnerabilities in the browser itself but in the way it is interfaced with other components from the system.
Posted by: Costin Raiu at August 21, 2005 9:05 PM