Often times you will see a VDB or researcher disclosure offer the solution “Edit the source code to ensure that input is properly sanitised.” I’ve never been fond of this for several reasons. First and probably the most obvious, duh? If I proclaim “send food to the hungry”, have I now provided a solution for world hunger? No need to debate semantics or definitions, the bottom line is I haven’t (or we wouldn’t have the problem anymore). So offering a solution of “editing the source to sanitize input” is about as helpful as my solution. Second, if the solution was really so easy, wouldn’t the developers have done it in the first place? Couldn’t we apply such advice to all programs from all projects? Third, most users and administrators don’t have the programming experience to make such source code changes. Even if they did, most simply don’t have the time to edit every package they may use, let alone fully test their changes and ensure functionality and security.
David Litchfield posted to Full-Disclosure pointing out more Oracle errata: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0449.html
From: David Litchfield (email@example.com)
To: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Date: Tue, 15 Nov 2005 13:12:41 -0000
Subject: [Full-disclosure] Three years and ten months without a patch
Whilst looking over old Oracle bugs I discovered that a fully patched 18.104.22.168 Oracle server is still vulnerable to the old extproc flaw; this flaw, when exploited, allows a remote attacker without a userID and password to take control of the server. Why, you may ask, has a supported product gone for so long without a patch for a serious problem that was made public 3 years and 10 months ago and reported to Oracle over 4 years ago?
Litchfield’s mail contains a link to additional commentary with an answer to the question above. Oracle can spin this how they please, but I think Litchfield has hit the nail on the head.
Seeking an answer to this I found the following in Alert 57:
Currently, due to architectural constraints, there are no plans to release a patch for versions 22.214.171.124, 126.96.36.199, 8.1.6.x, 8.1.5.x, 188.8.131.52, 8.0.5.x, 7.3.x, or other patchsets of the supported releases.
What? Wait a minute. They managed to fix the flaw and deal with the same “architectural constraints” in other versions – why not 184.108.40.206? A cynical observer might conclude that Oracle have deliberately left this unpatched in order to improve the chances of their user base upgrading to a version of Oracle that has a patch and having to part with more money. Oracle customers running 220.127.116.11, or any of the versions listed above would be right to feel indignant. This is exactly the kind of thing I was referring to when I posted this open letter.
I had planned on writing about this weeks ago but got swamped with that pesky day job along with the steady stream of new vulnerabilities released daily. That steady stream that absolutely will not get better with vendors taking a new approach to dealing with them. Fortunately for me, John Dvorak wrote an article and voiced some of my opinion as well. This comes some three years after Richard Forno wrote a related piece.
The Microsoft Protection Racket
By John C. Dvorak
Does Microsoft think it is going to get away with charging real money for any sort of add-on, service, or new product that protects clients against flaws in its own operating system? Does the existence of this not constitute
an incredible conflict of interest? Why improve the base code when you can sell “protection”? Is Frank Nitti the new CEO?
So what is actually going on here? I think there were some bottom-line questions that must have been brought up internally. Obviously someone at Microsoft looked at the expense of “patch Tuesday” and asked, “Is there any way we can make some money with all these patches?” The answer was “Yeah, let’s stop doing them and sell ‘protection’ instead.” Bravo! And now the company has a new revenue stream.
What Dvorak doesn’t mention that is just as important, is that Microsoft is not the only one doing this. A colleague recently pointed out that Symantec is offering IDS/IPS solutions for their own software. So instead of truly patching a vulnerability, they can quickly write a rule/filter to stop attacks against a specific/known attack. While this is often effective, history shows us that such solutions often fall victim to being bypassed with crafted requests, altering exploit code or using various evasion techniques.
SYM05-011 – August 12, 2005
VERITAS Backup Exec for Windows Servers, VERITAS Backup Exec for NetWare Servers, and NetBackup for NetWare Media Server Option Remote Agent Authentication Vulnerability
8/12/2005 – Revision One – updated details, affected products and response information.
8/12/2005 – Revision Two – Adding Tech Support links to currently available product updates as tested and posted for download by Symantec engineers. Link to IDS/IPS signatures for Symantec Security products.
8/13/2005 – Revision Three – Added Tech Support link to additional product updates. All supported affected products have updates available now.
8/14/2005 – Revision Four – Added links to IDS/IPS signatures for additional security products. All relevant Symantec Security products have signatures available now.
Again, what is the motivation/incentive for a vendor to patch a vulnerability, when they can just as easily ignore it, and spend time developing a profitable workaround or additional product?
From: David Litchfield (davidl @ ngssoftware.com)
To: bugtraq @ securityfocus.com, ntbugtraq @ listserv.ntbugtraq.com
Date: Thu, 6 Jan 2005 16:01:26 -0000
Subject: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers
Dear security community and Oracle users,
Many of my customers run Oracle. Much of the U.K. Critical National Infrastructure relies on Oracle; indeed this is true for many other countries as well. I know that there’s a lot of private information about me stored in Oracle databases out there. I have good reason, like most of us, to be concerned about Oracle security; I want Oracle to be secure because, in a very real way, it helps maintain my own personal security. As such, I am writing this open letter
From: Cesar (cesarc56 @y ahoo.com)
To: David Litchfield (davidl @ ngssoftware.com), bugtraq @ securityfocus.com, tbugtraq @ listserv.ntbugtraq.com
Date: Thu, 6 Oct 2005 11:41:33 -0700 (PDT)
Subject: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers
I support David 100% and I would like to add a few comments (I can’t avoid doing this :)):
I remember reading an article where Larry Ellison said that Oracle database server were used by FBI, CIA, USSR goverment, etc. he referenced that as saying our software is the most secure, top goverment agencies from the most powerful nations use it. If you hear or read that it sounds great and if you were looking for a database server at that moment maybe you would run to buy Oracle software, the same when you hear and read Oracle Unbreakable everywhere. What Larry Ellison says it is very easy to say but it is also very difficult to prove. It seems that this kind of statements have been useful for Oracle since the company continues doing the same, “just talking”. I can say that we at Argeniss break Oracle database server all the time, we are tired of breaking Oracle, it’s so easy, Oracle software is full of security vulnerabilities and this is nothing new, most security researchers know about this and also the bad guys who are actively exploiting the vulnerabilities. But I can say this and I can also prove it, we have found more than a hundred vulnerabilities and we can show them to people. I wonder if Larry Ellison can prove all the statements he says or Oracle people say.
The economy of phishing: A survey of the operations of the phishing market
Phishing is the fraudulent acquisition of personal information by tricking an individual into believing the attacker is a trustworthy entity. This paper is the result of a detailed analysis of 3,900,000 phishing e-mails, 220,000 messages collected from 13 key phishing-related chat rooms, 13,000 chat rooms and 48,000 users, which were spidered across six chat networks and 4,400 compromised hosts used in botnets. Phishing e-mails are only a small aspect of the overall phishing economy and until now, the only aspect seen by the most people. The phishing economy is a decentralized and self-organized social network of merchants and consumers governed by laws of supply and demand.
This paper presents the findings from this research as well as an analysis of the phishing infrastructure.
Kenneth Belva of Franklin Technologies United, Inc. announced a paper titled “How It’s Difficult to Ruin a Good Name: An Analysis of Reputational Risk”. The paper was delivered as the keynote address at the FiTech Summit 2005. In his announcement, he states “This paper should be regarded as a starting point for further, positive discussion” and he is right, but this is an excellent first step.
From the paper:
What is the impact of an information security breach both monetarily and on one’s reputation if the breach is publicly disclosed? And, just as important, why does it happen in the way that it does? What are the factors that lead to the results (outcomes)? This becomes especially relevant as most States are beginning to pass laws similar to California’s SB1386.
The title of my presentation — How It’s Difficult to Ruin a Good Name — may have hinted at my conclusion.
Another person commented that this follows an article by Richard Menta titled “A need to know” which goes into breaches, investors and consumer confidence. The article ends:
As an illustration: on February 14, 2005 information aggregator ChoicePoint announced hackers had breached its network and stolen the personal information of up to 500,000 people.
How did Wall Street react? The firm’s shares plummeted 15 percent.
A few years back, a couple of journalists and security professionals brought this same thing up on a mail list, but questioned the impact of vulnerabilities and companies. Would the release of a nasty remote vuln impact a company like Microsoft? Would the release of a vulnerability in a security product affect a security company? How about if that same vulnerability was made into a worm with a destructive payload?
There is sketchy evidence that such vulnerabilities and subsequent worms can affect the value of a company. While I don’t have hard data to say this for sure, it is a project i’ve long since wanted to take up. All it requires is a good timeline of vulnerabilities (OSVDB), a good sense of media/popular opinion of the events (ISN), and access to stock prices over the years (favorite broker). Mapping the bigger vulnerabilities, or the ones that made more press (even if less serious than others), combined with stock prices would make for some interesting research. Bottom line: can Joe Random Hacker release vulnerability information and negatively impact the value of a company?
Preliminary and Incomplete
Internet Security, Vulnerability Disclosure, and Software Provision
Jay Pil Choi, Chaim Fershtman, and Neil Gandal1
April 5, 2005
In this paper, we examine how software vulnerabilities affect firms that sell software and consumers that purchase software. In particular, we model three decisions of the firm: (I) an upfront investment in the quality of the software to reduce potential vulnerabilities, (II) a policy decision whether to announce vulnerabilities, (III) and a price for the software. We also model two decisions of the consumer: (I) whether to purchase the software and (II) whether to apply a patch.
Study: Flaw disclosure hurts software maker’s stock
Robert Lemos, SecurityFocus 2005-06-06
The study analyzed the release of 146 vulnerabilities and found that a software company’s stock price decreased 0.63 percent compared to the tech-heavy NASDAQ on the day a flaw in the firm’s product is announced. The study assumed that the stock of a company would have the same trend as the stock index, and that any departure from the index would be due to the disclosure.
This exact research project has been on my ‘to-do’ list for years, glad to see someone has begun to analyze this. A few years back, Ted Bridis noted that Microsoft’s stock dropped several dollars the day or two after a world wide worm infestation that exploited MS products. There was also talk of Internet Security Systems’ (ISS) stock value taking a hit after the Witty worm (which exploited one of their products).
It will be extremely interesting to see this research carried further, noting details of the type of information disclosure (full, partial, vague), if the information is released in conjunction with vendors, etc.
The Register Article – Study: Flaw disclosure hurts software makers’ stock