Posted by jericho
Fri, 24 Jun 2005 08:44:32 GMT
http://infosecon.net/workshop/pdf/10.pdf
The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting
by Andy Ozment
Abstract
Initial attempts to apply software reliability growth models to the process of vulnerability finding relied upon noisy data. Here, a more appropriate data collection process is discussed and employed to identify the age of vulnerabilities in OpenBSD 2.2. A number of models are tested against the data and two are found to have acceptable goodness-of-fit. These models indicate that the pool of vulnerabilities in the system is being depleted. However, models that also fit the data but do not indicate depletion may also exist. While this result is thus not conclusive, it does suggest that more investigation is needed and that, contrary to prior work, vulnerability depletion cannot yet be ruled out. It is thus possible that vulnerability hunting can result in a more secure product and can provide a social benefit. Patch announcements and vulnerability reports are also used to quantitatively (albeit roughly) demonstrate that vulnerabilities are often independently rediscovered within a relatively short time span. This finding provides a quantitative and qualitative rationale for vulnerability disclosure policies intended to pressure vendors into more rapidly providing patches. Although neither result is conclusive, both contradict previous work by providing support for the conclusion that vulnerability hunting is socially useful.
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Wed, 15 Jun 2005 09:52:50 GMT
http://infosecon.net/workshop/pdf/cavusoglu.pdf
http://infosecon.net/workshop/slides/weis43.ppt
EMERGING ISSUES IN RESPONSIBLE VULNERABILITY DISCLOSURE
Hasan Cavusoglu, Huseyin Cavusoglu, Srinivasan Raghunathan
Abstract
Security vulnerability in software is the primary reason for security breaches, and an important challenge for IT professionals is how to manage the disclosure of vulnerability information. The IT security community has proposed several disclosure policies, such as full vendor, immediate public and hybrid, and has debated which of these should be adopted by coordinating agencies such as CERT. Our early study (Cavusoglu et al. 2004a) analyzed the optimal disclosure policy that minimizes social loss when vulnerability affects only one software vendor. In this paper, we extend our early work into three directions in order to sled light on current issues in vulnerability disclosure process. (i) When the vulnerability affects multiple vendors, we show that the coordinator’s optimal policy cannot ensure that every vendor will release a patch. However, when the optimal policy does elicit a patch from each vendor, we show that the coordinator’s grace period in the multiple vendor case falls between the grace periods that it would set individually for the vendors in the single vendor case. (ii)
We analyze the impact of an early discovery, which can be encouraged with proper incentive mechanisms, on the release time of the patch, the grace period, and the social welfare. (iii) We also investigate the impact of an early warning system that provides privileged vulnerability information to selected users before the release of a patch for the vulnerability on the social welfare. Finally, we explore the several policy implications of our results and their relationship with current disclosure practices.
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Fri, 22 Apr 2005 06:24:58 GMT
The last few months have seen a lot more talk about the “Days of Risk”. In short, vendors like Microsoft say the days of risk are the time between vulnerability information (or an exploit) being released and a system being patched. So if a new vulnerability is announced on Tuesday, and I patch on Friday, there were three days of risk. This makes sense.. and this is also why many vendors advocate responsible disclosure and coordinated vulnerability announcements.
So what has been happening lately? I’ve noticed that my Windows XP systems “auto-update” feature is lagging heavily. Vulnerabilities are announced on a Tuesday, and it is as many as six days before my machine will alert me, download and install the patches. The point of this post is to question, is six days a lot of risk? To get an idea, lets look at a few of the recent vulnerabilities announced by Microsoft.
MS05-016, Windows MSHTA Shell Application Association Arbitrary Remote Script Execution
Disclosure: 2005-04-12 // Exploit: 2005-04-13
MS05-021, Exchange Server SMTP Extended Verb Remote Overflow
Disclosure: 2005-04-12 // Exploit: 2005-04-19
MS05-020, IE DHTML Object Memory Corruption Code Execution
Disclosure: 2005-04-12 // Exploit: 2005-04-12
So we have 0 days, 1 day and 7 days. Due to the lag in Microsoft making the patches available (I honestly don’t care what their excuse is), my computers are vulnerable and there is nothing I can do about it. I don’t think I need to address the fact that many of these vulnerabilities had fully working exploit code developed long before the Microsoft advisories either. Sure, they were held by the researchers and not disclosed, but information is shared, information is leaked, and information is stolen. Fact of life that only increases days of risk.
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Sat, 02 Apr 2005 20:09:34 GMT
Software Vendors Should Come Clean on Security Holes
By Jim Rapoza
March 28, 2005
Opinion: When it comes to fixing bugs and vulnerabilities, the Sgt. Schultz approach amounts to nothing.
Most people tend to agree with the old adage: Knowledge is power. But there are some groups that think knowledge is a bad thing— knowledge on the part of others, at least—and these groups work hard to keep people in a state of blissful ignorance.
[..]
Posted in Vulnerability Disclosure | no comments
Posted by jericho
Sat, 02 Apr 2005 04:59:38 GMT
Legal threat stops flaw info release
By Jaikumar Vijayan
MARCH 25, 2005
COMPUTERWORLD
A threat by Sybase Inc. to sue a U.K.-based security research firm if it publicly discloses the details of eight holes it found in Sybase’s database software last year is evoking sharp criticism from some IT managers but sympathetic comments from others.
Blocking the release of vulnerability information “would set a bad precedent” for the software industry, said Tim Powers, senior network administrator at Southwire Co., a Carrollton, Ga.-based maker of electrical wires and cables.
Responsible disclosure of software flaws by vulnerability researchers has “significantly improved” the security of products, Powers said. “Preventing disclosure through the threat of legal action can only hurt security,” he said.
[..]
Posted in Vulnerability Disclosure | 2 comments
Posted by jericho
Sat, 02 Apr 2005 04:46:47 GMT
Jennifer Granick has published a new paper titled The Price of Restricting Vulnerability Publications.
Abstract:
There are calls from some quarters to restrict the publication of information about security vulnerabilities in an effort to limit the number of people with the knowledge and ability to attack computer systems. Scientists in other fields have considered similar proposals and rejected them, or adopted only narrow, voluntary restrictions. As in other fields of science, there is a real danger that publication restrictions will inhibit the advancement of the state of the art in computer security. Proponents of disclosure restrictions argue that computer security information is different from other scientific research because it is often expressed in the form of functioning software code. Code has a dual nature, as both speech and tool. While researchers readily understand the information expressed in code, code enables many more people to do harm more readily than with the non-functional information typical of most research publications. Yet, there are strong reasons to reject the argument that code is different, and that restrictions are therefore good policy. Code’s functionality may help security as much as it hurts it and the open distribution of functional code has valuable effects for consumers, including the ability to pressure vendors for more secure products and to counteract monopolistic practices.
Posted in Vulnerability Disclosure | no comments
