A Word on Solutions (edit source code)

Posted by jericho Thu, 15 Dec 2005 02:07:15 GMT

Often times you will see a VDB or researcher disclosure offer the solution ”Edit the source code to ensure that input is properly sanitised.” I’ve never been fond of this for several reasons. First and probably the most obvious, duh? If I proclaim “send food to the hungry”, have I now provided a solution for world hunger? No need to debate semantics or definitions, the bottom line is I haven’t (or we wouldn’t have the problem anymore). So offering a solution of “editing the source to sanitize input” is about as helpful as my solution. Second, if the solution was really so easy, wouldn’t the devlopers have done it in the first place? Couldn’t we apply such advice to all programs from all projects? Third, most users and administrators don’t have the programming experience to make such source code changes. Even if they did, most simply don’t have the time to edit every package they may use, let alone fully test their changes and ensure functionality and security.

Posted in  | 2 comments

Comments

Leave a response

  1. Xavier said about 13 hours later:

    Great you brought this up, It amazes me how someone could put so much time, or in some cases not much at all, but enough to figure out and post examples or proof of concepts but yet throw up that half assed line.

    If you are unable to think up a solution, fix, or anything that assists administrators with the vulnerabilities – then don’t include the “Solution” part of your advisory. it’s just a waste of text.

  2. aekelly said about 15 hours later:

    “Even if they did [have the programming experience], most simply don’t have the time to edit every package they may use, let alone fully test their changes and ensure functionality and security.”

     This is the killer and especially true with editing source code written in the C programming language. Foreign obfuscated code (code that you didn't write and can barely be interpreted) can be especially challenging. There is even the International Obfuscated C Code Contest: http://www.ioccc.org/

 When vulnerability databases and researchers shift the focus from a vendor solution to a user solution, the users/admins who are not capable of creating a solution suffer. Plus, a vendor solution would reach more people instead of some unofficial patch being distributed among users/admins.

 Yet again, there are vendors who don't provide solutions, so the vulnerability databases and researchers maybe feel the need to plant the idea of editing the source code in users/admins minds that, yes, you could fix this if you _really_ needed to, go out and spend countless hours learning the language to make the changes.

 And, I suppose an alternative would be cases where you cannot edit the source code, in some closed source software (reverse engineering excluded). Maybe the vulnerability databases and researchers are trying to make a distinction between the two possibilities. However, I doubt this is a conscious decision.

 Overall, I agree, going with "no solution" is the way to go. Changing somebody else's code is a pain in the ass...let the vendor maintain its/his/her own code.

RSS feed for this post

(leave url/email »)

   Comment Markup Help Preview comment