Sunday, July 04, 2004

A Witty Comment on Security Disclosure

In response to yet another browser security hole found by Secunia, a Slashdot commenter made the following clever retort:

The best place to get a response when reporting a security bug is on Bugtraq. :)
Funny but all too true, as the experiences of this other commenter illustrate.

Lorenzo Colitti and I found the same hole several weeks ago, independently of Mark Laurence. I reported it to mozilla.org on June 11 and to Microsoft and Opera on June 16. I got different results from each browser maker:

Mozilla (bugzilla.mozilla.org 246448)
Fixed on June 14. Firefox 0.9 released with the fix June 14. Mozilla 1.7 released with the fix June 17.
Opera (bugs.opera.com 145283)
No response.
Microsoft
On June 21, I received an e-mail containing the following: "... is by design. To prevent this behavior, set the 'Navigate sub-frames across different domains' zone option to Prompt or disable in the Internet zone. We are trying to get this fixed in Longhorn ... on getting this blocking on by default in XP SP2 but blocking these types of navigations is an app compatibility issue on many sites." I usually don't get any response from Microsoft when I report security holes to them; I think I only got a response this time because I used my employer's premier support contract with Microsoft.

Another cross-browser security hole I found (bugzilla.mozilla.org 162020) got similar responses from each browser maker: fixed in Mozilla 1.7 and Firefox 0.9; no response from Opera; confusing statement from Microsoft mentioning XP SP2. 162020 is an arbitrary code execution hole.

Although they're all quick to complain about "irresponsible" disclosures of vulnerabilities by individuals who are supposedly unwilling to give them the time to come up with patches, the ugly reality is that most commercial software vendors prefer to ignore such problems unless there's some media pressure preventing them from doing so. There's nothing quite like a Reuters report alerting the entire world of some embarassing new security hole to get the attention of indifferent corporate entities.

One more thing worth noting: the way in which the Bugzilla database enables such rapid turnaround in bug-fixing time really ought to serve as an inspiration to other organizations. It's good to see Microsoft providing a product feedback center for Visual Studio 2005, but what's needed now is something along the same lines devoted to security problems; one shouldn't have to trawl through the Bugtraq archives to see what, if anything, has been said about a potential problem, only to then be forced to report it by broadcasting it to the entire world in order to get a meaningful response. If Microsoft had a security database where registered outsiders could log and track whatever issues they'd discovered, the impetus for "disclosure by public ambush" would be reduced considerably.

2 Comments:

Anonymous Anonymous said...

[url=http://ericbachmann.portmerch.com/stores/schemes/dingbats/color/images/john-mayer.html#1]john mayer[/url]
[url=http://ericbachmann.portmerch.com/stores/schemes/dingbats/color/images/carrie-underwood.html#2]carrie underwood[/url]
[url=http://ericbachmann.portmerch.com/stores/schemes/dingbats/color/images/robin-thicke.html#3]robin thicke[/url]
john mayer
carrie underwood
robin thicke

April 10, 2007 at 7:44 PM  
Anonymous Anonymous said...

[url=http://ericbachmann.portmerch.com/stores/schemes/dingbats/color/images/john-mayer.html#1]john mayer[/url]
[url=http://ericbachmann.portmerch.com/stores/schemes/dingbats/color/images/carrie-underwood.html#2]carrie underwood[/url]
[url=http://ericbachmann.portmerch.com/stores/schemes/dingbats/color/images/robin-thicke.html#3]robin thicke[/url]
john mayer
carrie underwood
robin thicke

April 11, 2007 at 11:00 AM  

Post a Comment

<< Home