Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Fwd: Are Bug Disclosures Helping or Hurting?
From: n3td3v <xploitable () gmail com>
Date: Wed, 30 Jul 2008 14:49:19 +0100

---------- Forwarded message ----------
From: n3td3v <xploitable () gmail com>
Date: Wed, Jul 30, 2008 at 2:40 PM
Subject: Are Bug Disclosures Helping or Hurting?
To: n3td3v <n3td3v () googlegroups com>

IBM report shows that as soon as a vulnerability is disclosed, an
exploit is made for it. Some think it's time to rethink that policy.

In attempting to fix the problem of software vulnerabilities, we are
inadvertently helping the bad guys by telling them where to find the

That is the conclusion of an IBM Internet Security Systems X-Force
report released today, which found that 80 percent of all
vulnerabilities that are published, either by vendors or third-party
sites like BugTraq, have an exploit crafted for them within 24 hours.

Further, 94 percent of all browser-related online exploits occurred
within 24 hours of official vulnerability disclosure, and online
attacks are the most popular form of attack.

The exploit usually comes in the form of sample code included in
developer "kits" that are sold on the Internet underground for quick
and easy development of all sorts of malware.

Holly Stewart, an X-Force researcher and editor of the report, said
it's time to reconsider such public disclosures. "The problem is that
in the research community, people have felt it is best practice to
have full disclosure," she told InternetNews.com.

"For the longest time, the security community has held on to this
common practice. Five years ago we didn't have exploit toolkits on the
underground to build exploits. Today, this is becoming a problem. I
think we have to shift gears and reconsider this full disclosure
policy and is the impact doing the best thing for the greater good,"
she said.

It can be a double edged sword. In 2004, security firm eEye Digital
found an exploit in Windows that was turned into the Sasser worm
within three days after it was posted to Bugtraq. Sasser turned into
one of the biggest Internet worms in history. So do we keep feeding
the malware trolls?

Responsible disclosure?

Ken Dunham, director of global response for iSIGHT Partners, said it's
a tough call. "Certainly the concept of responsible disclosure
involves two words, 'responsible' and 'disclosure'. If you go out to
the Internet at large and reveal a large security hole without
informing the vendor, then you have given the bad guys an advantage
they would not have through tradition non-public disclosure," he told

Even with responsible disclosure, even if a vendor hears about a
problem and works on it for weeks before issuing a patch, as soon as
the patch is released it's reverse engineered by the bad guys, he
added. "It becomes a race between how fast can you test and implement
it versus how fast can the bad guys weaponize it."


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]