'Month-of' flaw projects come under fire

This week in Security Blog Log: The Month of Apple Bugs has some wondering if the real motive for such disclosure projects is better security or better press coverage.


Ask the researchers behind the Month of Browser Bugs, Kernel Bugs and Apple Bugs what their motives are and they'll tell you it's to hold vendors' feet to the fire and get them to take security more seriously.
Security Blog Log

"Software vendors are notorious for taking months or years to produce a security patch," said Metasploit Framework creator H.D. Moore, whose Month of Browser Bugs in July exposed 31 browser holes, most affecting Microsoft's Internet Explorer. "The 'Month-of' projects put pressure on the vendor to address an issue in a reasonable amount of time. In my experience, nothing produces a patch faster than a published exploit."

LMH, the researcher behind the Month of Kernel and Month of Apple bugs, said, "It's better to have someone disclosing your security flaws than having them known by the bad guys, only. This pushes the vendor to change its procedures and policies for vulnerability handling and disclosure. And that's where users benefit."

But with the Month of Apple Bugs now underway, some security bloggers are criticizing the disclosure projects as something designed more for press attention than better security.

That's not to say the critics don't find some value in what the researchers are doing.

The Security Curve blog, for example, takes on the issue of press attention while still finding value in exposing Apple's security holes.

About Security Blog Log:
Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Recent columns:

Adobe Reader flaws spook security experts

Skype Trojan: Much ado about nothing?

Schneier: UCLA breach barely newsworthy

"The only reason there could possibly be for doing a 'month of xxx bugs' is to get attention ... in other words, [from] the press," Security Curve said. "The press loves this stuff, they are sure to cover it, and you can use any ol' bug you find to fuel it. In terms of 'bang for the buck' to get media attention, there's absolutely nothing better you can do."

On the other hand, the blog said, Apple's marketing does a disservice to Mac users by portraying its products as bug-free, and someone needs to expose the truth.

"One could argue that some of their marketing could lead users to believe things about the Mac that aren't entirely true," Security Curve said. "For example, one could interpret the Apple marketing to claim increased resistance to security vulnerabilities. If that were the case, it would put users in a dangerous position -- they might be less inclined to apply updates or they might be less inclined to monitor their systems for intrusion."

The blog concluded that it's better to know that there are Mac bugs out their so users can take action and be vigilant as opposed to not knowing about them and getting burned.

Thomas Ptacek of New York-based Matasano Security LLC wrote in the organization's blog that there are arguments to be made in favor of publishing exploits. But he's not sure the case can be made for releasing a flaw a day. He said it's hard to criticize H.D. Moore's press statements that there's "a ton of denial and hubris about whether Apple products are more secure than any other vendor." But, Ptacek said, "'Denial and hubris' about Apple security is not a problem that we need H.D. Moore to correct."

He also doubts the advisory-a-day approach will do much to make vendors more security conscious.

"It takes Apple longer to release patches for findings than many other vendors," he said. "Now, explain to me how a month of 'get-root-from-localhost-nobody' scare advisories is going to solve that problem?"

Rich Mogull, research vice president with Stamford, Conn.-based Gartner Inc., wrote in the Securosis blog that February should be declared a "Month of No Bugs."

"While I have tremendous respect for security researchers, I think this 'Month-of' stuff is getting out of hand," he said, noting that H.D. (Moore) started with hacks that disclosed a flaw without a direct path to remote code execution while a number of the flaws released by LMH appear to come with working exploits. "I've had positive discussions with him in the past and think his heart's in the right place, but this isn't the way to make things better."

As "messed up" as the industry's disclosure approaches may be, he said, dumping code isn't the answer. "While there is sometimes a time and place for releasing code, this clearly isn't it," he added.

He said the "Month-of" projects are becoming the cyber equivalent of a vigilante smashing everyone's doors down while they're away on vacation, leaving them as burglar-bait, to prove to them how weak their lock vendor is.

"I've called some big vendors to the carpet more than once" over their security practices, he said. "But spending a month dumping exploit code is only going to make us end users less secure, and make it even harder to deal with those vendors."

Dig deeper on Information Security Laws, Investigations and Ethics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close