Vulnerability Numerology - Defective by Design?

rdmreader writes "RDM has a point by point disassembly of the security vulnerability story phenomenon. We regularly see these, comparing various vulnerability lists for different operating systems. ZDNet's George Ou, for example, condemns Linux and Mac OS X by tallying up reported flaws and comparing them against Microsoft's. What he doesn't note is that his source, Secunia, only lists what vendors and researchers report. Results selectively include or exclude component software seemingly at random, and backhandedly claims its data is evidence of what it now tells journalists they shouldn't report. Is Secunia presenting slanted information with the expectation it will be misused?"

Fishing for vulnerabilities

[pongo000]

Is Secunia presenting slanted information with the expectation it will be misused?

Here's one even better: We use GeSHi [qbnz.com] (Generic Syntax Highlighter) in WikkaWiki [wikkawiki.org]. We often scour the so-called "security vulnerability" databases because we've found many inaccuracies. In this specific case, Secunia issued this statement:

> we noticed the following entry in the changelog for GeSHi 1.0.7.18 and
> are about to issue an advisory based on this information.
>
> "Committed security fix for htmlspecialchars vulnerability. Also makes
> supporting multiple languages a lot easier"
> http://sourceforge.net/project/shownotes.php?release_id=489035 [sourceforge.net]
>
> To serve our mutual customers best we would appreciate to receive your
> comments on this issue before we publish our advisory.

WTF? This was a vulnerability in PHP's htmlspecialchars() function, NOT GeSHi. Yet, Secunia was planning on milking this vulnerability in order to boost its "vulnerability count" at the expense of a project that had absolutely NOTHING to do with the vulnerability.

You see, these so-called "vulnerability experts" try to wring out as many vulnerabilities as possible, because we all know that the most effective "vulnerability expert" will be the one with the most posted vulnerabilities. So they go on fishing expeditions to uncover vulnerabilities that really don't exist.

Or an even worse practice: "bottom-fishing" changelogs and bug trackers in order to discover vulnerabilities that have already been addressed. Here's another instance where Secunia was caught trying to boost its street cred through disingenuous reporting: They apparently scoured our bug tracking database and discovered an issue (already fixed!) and falsely implied in their report that the content of wiki pages marked private might be accessible via RSS. This was clearly false, as the original bug report indicated that the page name (not content) could be accessed. Secunia later corrected [secunia.com] the false report.

We've caught Secunia doing this on several occasions. My advice to anyone who is involved in an OSS project is to regularly scour the vulnerability databases and challenge each and every advisory that you believe is not accurate. You might be surprised at the amount of so-called "vulnerability intelligence" out there that is blatantly false, outdated, or inaccurate.

My experience with Secunia

[Aram Fingal]

At one point, I looked over all the Secunia advisories about OS X and came across one which said that OS X would send passwords in clear text without warning when logging into Appleshare volumes and that this vulnerability was "unpatched". I thought this was strange since I had, in fact, seen such warning dialog boxes in OS X. It was in an unusual case where I was connecting from OS X 10.2 to an old 68k Mac running MacOS 8.1. I also remembered seeing that there is an options button when you make an Appleshare connection. If you hit that options button, you get a screen with check boxes for allowing clear text passwords and warning when a clear text password is needed. The default is to allow with a warning. I sent email to Secunia asking for clarification about what circumstances would lead to sending a clear text password without notice. Do those check boxes not actually work? Are the defaults less secure in some cases? I never got a reply but the issue disappeared from the Secunia site. No explanation. Just gone. I wonder if enough other issues have just disappeared to affect the numerology.