COLUMN

'Month-of' flaw projects come under fire

By Bill Brenner 12 Jan 2007 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

"Software vendors are notorious for taking months or years to produce a security patch," said Metasploit Framework creator H.D. Moore, whose Month of Browser Bugs in July exposed 31 browser holes, most affecting Microsoft's Internet Explorer. "The 'Month-of' projects put pressure on the vendor to address an issue in a reasonable amount of time. In my experience, nothing produces a patch faster than a published exploit."

LMH, the researcher behind the Month of Kernel and Month of Apple bugs, said, "It's better to have someone disclosing your security flaws than having them known by the bad guys, only. This pushes the vendor to change its procedures and policies for vulnerability handling and disclosure. And that's where users benefit."

But with the Month of Apple Bugs now underway, some security bloggers are criticizing the disclosure projects as something designed more for press attention than better security.

That's not to say the critics don't find some value in what the researchers are doing.

The Security Curve blog, for example, takes on the issue of press attention while still finding value in exposing Apple's security holes.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Adobe Reader flaws spook security experts Skype Trojan: Much ado about nothing? Schneier: UCLA breach barely newsworthy

"The only reason there could possibly be for doing a 'month of xxx bugs' is to get attention ... in other words, [from] the press," Security Curve said. "The press loves this stuff, they are sure to cover it, and you can use any ol' bug you find to fuel it. In terms of 'bang for the buck' to get media attention, there's absolutely nothing better you can do."

On the other hand, the blog said, Apple's marketing does a disservice to Mac users by portraying its products as bug-free, and someone needs to expose the truth.

"One could argue that some of their marketing could lead users to believe things about the Mac that aren't entirely true," Security Curve said. "For example, one could interpret the Apple marketing to claim increased resistance to security vulnerabilities. If that were the case, it would put users in a dangerous position -- they might be less inclined to apply updates or they might be less inclined to monitor their systems for intrusion."

The blog concluded that it's better to know that there are Mac bugs out their so users can take action and be vigilant as opposed to not knowing about them and getting burned.

Thomas Ptacek of New York-based Matasano Security LLC wrote in the organization's blog that there are arguments to be made in favor of publishing exploits. But he's not sure the case can be made for releasing a flaw a day. He said it's hard to criticize H.D. Moore's press statements that there's "a ton of denial and hubris about whether Apple products are more secure than any other vendor." But, Ptacek said, "'Denial and hubris' about Apple security is not a problem that we need H.D. Moore to correct."

He also doubts the advisory-a-day approach will do much to make vendors more security conscious.

"It takes Apple longer to release patches for findings than many other vendors," he said. "Now, explain to me how a month of 'get-root-from-localhost-nobody' scare advisories is going to solve that problem?"

Rich Mogull, research vice president with Stamford, Conn.-based Gartner Inc., wrote in the Securosis blog that February should be declared a "Month of No Bugs."

"While I have tremendous respect for security researchers, I think this 'Month-of' stuff is getting out of hand," he said, noting that H.D. (Moore) started with hacks that disclosed a flaw without a direct path to remote code execution while a number of the flaws released by LMH appear to come with working exploits. "I've had positive discussions with him in the past and think his heart's in the right place, but this isn't the way to make things better."

As "messed up" as the industry's disclosure approaches may be, he said, dumping code isn't the answer. "While there is sometimes a time and place for releasing code, this clearly isn't it," he added.

He said the "Month-of" projects are becoming the cyber equivalent of a vigilante smashing everyone's doors down while they're away on vacation, leaving them as burglar-bait, to prove to them how weak their lock vendor is.

"I've called some big vendors to the carpet more than once" over their security practices, he said. "But spending a month dumping exploit code is only going to make us end users less secure, and make it even harder to deal with those vendors."

Tags: Information Security Laws, Investigations and Ethics,  Alternative OS security: Mac, Linux, Unix, etc.,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Federal efforts to secure cyberinfrastrucure Alternative OS security: Mac, Linux, Unix, etc. Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method New hacking method stealthily attacks Macs with malware Apple fixes critical QuickTime flaws User provisioning and SSO for PeopleSoft- and Unix-based products Alternative OS security: Mac, Linux, Unix, etc. Research Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) cypherpunk  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary