Daily flaws ratchet up disclosure debate
Robert Lemos, SecurityFocus 2006-07-14
HD Moore is used to polarizing the vulnerability-research community.
As the creator of the Metasploit Project, an open-source tool for
automating the exploitation of vulnerabilities, Moore has had his
share of contentious debates with other security professionals.
However, his latest endeavor--releasing a browser bug every day
during the month of July--has raised hackles on both sides of the
security equation, among the black-hat as well as white-hat
researchers.
After the first week of flaws were released, one online miscreant
from Russia shot off an e-mail to Moore, complaining that he had
outed a vulnerability the Russian had been exploiting, Moore said.
"The black hats don't like that the fact that this is public because
they have been using these bugs," Moore said. "By dumping out the
bugs on the community, I'm clearing the air and letting the good guys
know what others are doing."
Yet, the release did not seem so altruistic to Microsoft, whose
Internet Explorer browser suffers from the lion's share of the bugs
found by Moore. The software giant indirectly criticized the release
of vulnerabilities in a statement to SecurityFocus, underscoring the
importance of getting customers updated before they are exposed to
threats from malicious attackers.
"Microsoft continues to encourage responsible disclosure of
vulnerabilities," the software giant said in a statement sent to
SecurityFocus. "We believe the commonly accepted practice of
reporting vulnerabilities directly to a vendor serves everyone's best
interests."
The software giant stressed that many of the flaws merely crashed the
Internet Explorer browser, while the more serious vulnerabilities
were fixed in the recent MS06-021 security update.
Other browsers had fewer flaws, Moore said. He discovered some issues
with Mozilla's Firefox had, but the group fixed them quickly, he
said. Opera's browser, at least the most recent version, stood up
quite well
"Opera 8.5 fell apart ten different ways, but 9.0 looks pretty
solid," he said.
While Microsoft and other software makers have improved their
relationships with many flaw finders, other researchers have
ratcheted up the pressure on the companies to fix the vulnerabilities
in their systems. After finding a flaw in the online-application Web
site of the University of Southern California, security professional
Eric McCarty decided to go public with the issue to put pressure on
the university and is now being prosecuted for breaching the site's
security. Another researcher, David Litchfield, released descriptions
of Oracle flaws, after the database maker failed to patch the issues
immediately.
In the most recent case, Moore had first warned software makers of
the threat posed by potential attackers using the tools, known as
fuzzers. Because response to the warning seemed slow, he decided to
publicly release many of the bugs, one each day in July.
The avalanche of browser flaws underscores the problems for software
vendors as fuzzers become more popular. The flaw-finding programs
systematically change the data sent to an application to see how the
software reacts. In many cases, bad data can cause an application to
crash; other times, the application's response to the mangled data
reveals underlying security flaws. HD Moore used five different
fuzzers--all but one of which is publicly available--to find hundreds
of vulnerabilities in the major browsers, he said.
"People now have a feeling about how things stand," Moore said.
"There will be five or six tools that they can run and find out what
flaws potentially could be exploited."
While the Month of Browser Bugs project has come under criticism, the
objections of the black hat community underscores why it is
important. Making the vulnerabilities known will prompt software
developers and defenders to respond to threats and secure their
systems, said Peter Swire, a professor at Ohio State University's
Moritz College of Law.
"The attackers probably know about the vulnerabilities, the defenders
have not patched pervasively, so disclosure will tend to help the
defenders," Swire said.
In a paper published in 2004, Swire argued that--while there are
cases where obscurity can help security--that's not the case for
Internet-connected computers. After informing the software maker and
giving them time to patch the problem, releasing the information
helps overall security, he said.
"In many cyber applications, it makes sense to use openness," Swire
said. "The factors tilt towards openness because the attackers can
attack repeatedly, learn from the attacks and tell people about the
attack. It is different from many real world applications where they
can get the plans for the banks and that will help them with the
attack because they know where to step to avoid the alarm sensors."
Others have taken the issue of disclosure as an incentive to secure
systems to a more extreme degree. In a law note published in the
Harvard Law Review (PDF) last month, recent graduate Jonathan Lin
argued that even acts of cybercrime that do not cause major damage
should be considered a benefit because it helps secure the Internet,
similar to disclosure.
"I think there should be a more nuanced approach to how we measure
what are the most damaging attacks," said Jonathan Lin, a recent
graduate from Harvard University's School of Law and the author of
the note.
Focusing on the online vandals that do minor damage to systems
through attacks that highlight security risks may not be the best use
of government resources, he said. The result of such prosecution
could be a far less secure Internet, he argued.
"It is really difficult for the U.S. government to protect itself
from attacks that span the globe," he said. "So the centralized
response of prosecution is not going to be very effective--it feels
almost like a lost cause. We have to do something about it, but I
feel that the effort is focused on the wrong threat."
Looked at from an economic perspective, the enhanced security that
comes from disclosure--and some minor cybercrimes--is known as a
positive externality, a beneficial effect on the consumer from an
event in which they did not participate, said Eric Goldman, director
of the High-Technology Law Institute at Santa Clara University's
School of Law. While online attackers target vulnerable software
applications, when the software maker offers a program patch to close
the security hole, the consumer benefits.
However, the flip side of the effect--so-called negative
externalities--typically outweigh the positive for acts such as
cybercrime, Goldman said.
"There is no real wealth created by the investments in security, it
is just a cost of everything we do in our lives," said. "When the
(Harvard) article argues that we create a social benefit, it could
also be argued that the person is creating a bunch of dead-weight
losses that really don't benefit society."
Certainly, software makers, who now have to run multiple data-fuzzing
tools against their software, may feel that way. The dramatic daily
release of bugs during July is a warning that the companies need to
use data-fuzzing tools to find application flaws before attackers
find the weaknesses first. The number of exploits of previously
unknown flaws--called zero-day exploits--detected by security firms
has also, at least anecdotally, increased dramatically over the last
year.
And these tend not to be flaws that can easily be found by
researchers--fuzzer-found flaws tend to be somewhat obscure, Moore
said.
"These weren't well-understood bugs," he said. "They are really
strange issues that it is really hard to understand, even after the
fact. For example, one ActiveX bug requires ten different variables
be set."
Microsoft has made fuzzing part of its Software Development Lifecycle
and runs the tools, not just against browsers, but its other software
as well, a spokesperson said.
While Moore has grown somewhat tired of fuzzing, he is not done quite
yet. A yet-unreleased data-fuzzing tool has found a number of other
vulnerabilities in the current version of Internet Explorer, he said.
He has not released information on those issues, except to Microsoft,
but plans to create a tool so that system administrators can
eventually check their systems for the flaws.
CORRECTION: The article's discussion of Peter Swire's paper and
position was clarified to stress that he believes proper disclosure
involves first notifying the vendor, giving them time to fix the
issue and then releasing vulnerability information.
