Google Device Vulnerabilities, EULA and more
Posted by jericho
H D Moore recently wrote that he discovered several vulnerabilities in Google Search Appliances. You can find details of these on the Metasploit Vulnerability Page, as well as search OSVDB for the corresponding entries. Normally this wouldn’t be worth posting about, however Moore’s comments on the Google EULA and how it impacts vulnerability research is worth noting. From his mail:
I found some fun bugs in the Google Search Appliance and uploaded the results in preparation for a Monday morning release. To get an idea of how many affected systems there are, just Google for inurl:proxystylesheet. Google released a patch on August 16th and I agreed to wait at least 60 days past that before disclosing the bugs.
A warning to anyone who owns one of these appliances - the EULA and confidentiality agreement prohibit any form of security research or publication of results. After I reported the issue, their security team offered to send me a Mini for patch verification, but agreeing to the license terms would prevent me from publishing any information about the product in the future. I got a beach towel and shirt instead :-)
This also brings up why Google won’t publicly release their security advisories. Searching Google for “GA-2005-08-m” finds one reference to someone having problems with the latest patches, but no copies of the advisory. Seems Google is all about organizing and sharing world information.. unless it’s information on their own vulnerabilities? Oh wait, “the Google Search Appliance does not create security issues”!
At this point, most vendors - especially US vendors - should have some implementation of the national Infrastructure Advisory Council’s vulnerability disclosure framework, outlined at http://www.dhs.gov/interweb/assetlibrary/vdwgreport.pdf
Besides the whole “disclosure is good when done well” theme of the report, it also says “Robust information sharing of vulnerabilities, threats, countermeasures, and best practices is key to minimizing threats to critical infrastructure networks” as well as “Vendors should provide an avenue for customers to proactively (opt-in) sign up to receive security advisory information from the vendor.”