Forgot your password?
typodupeerror
Security IT

Firm To Release Database, Web Server 0-Days 220

Posted by CmdrTaco
from the ready-for-impact dept.
krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."
This discussion has been archived. No new comments can be posted.

Firm To Release Database, Web Server 0-Days

Comments Filter:
  • by Qubit (100461) on Monday January 11, 2010 @04:06PM (#30727652) Homepage Journal

    Firm To Drop Database, Web Server 0-Days

    The verb to drop has specific meaning w.r.t. databases. A few more words in the title would have been acceptable. How about:

    Fed-up security firm to release Database & Web Server vulnerabilities publicly

    Look at how much more information is conveyed in that second title. A work of beauty, it is.

  • Why not? (Score:5, Insightful)

    by Monkeedude1212 (1560403) on Monday January 11, 2010 @04:06PM (#30727654) Journal

    FTFA:

    At issue is the pesky ethical and practical question of whether airing a software vendor’s dirty laundry (the unpatched security flaws that they know about but haven’t fixed yet) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secret

    Hasn't this been proven to be true - and legal?

    In all honesty, if they've contacted the vendor and the vendor hasn't patched it in a month or two, I think its completely ethical and practical to release the vulnerabilities. After all, there could be a few other small firms who have discovered the vulnerability and are exploiting it. Best to put them out there in a Twitter feed so that the entire world instantly complains about it forcing the vendor to fix it. I prefer security over new features.

    • Re: (Score:3, Insightful)

      by DeadPixels (1391907)
      I agree, but that's not what this guy is doing. He's saying that he doesn't want to notify vendors at all, which I feel isn't responsible. I believe that you should notify the vendor and then release it in a reasonable time frame (TFA suggests 60-90 days).

      I don't have a problem with the disclosure of vulnerabilities once the vendor has been notified, because I think it does cause the problems to be resolved quicker. However, not telling the vendor means there's no chance for them to even start on a fix bef
      • Re:Why not? (Score:5, Insightful)

        by b4dc0d3r (1268512) on Monday January 11, 2010 @04:57PM (#30728526)

        He's a step ahead of you. He's tried doing it the right way and gotten no results. So he's going to skip the part where he wastes his time.

        If companies want responsible disclosure, they should respond in some way to the disclosure. Maybe companies will actually fix bugs instead of sitting on them, and he can go back to doing it the right way. He also warned the companies he's going to do it, so they have a chance to fix things before then.

        Here's a tip for you. In the real world, sometimes you have to force the other party's hand to get them to act responsibly. He's to that point, and fortunately has leverage. By making this choice public, he shames the irresponsible software companies which allow security problems to sit around unfixed.

        Hopefully they'll scramble to release some fixes, which they haven't done yet, which is a net improvement over the current situation where millions of people have unpatched vulnerabilities.

        In short, I don't see a problem here. I use software, it has security problems, I expect those to be fixed. Whatever it takes to get there, I'm all for it.

        • by cromar (1103585)

          Whatever it takes to get there, I'm all for it.

          Even... even murder??! Or genocide??!

      • by jc42 (318812)

        ... that's not what this guy is doing. He's saying that he doesn't want to notify vendors at all, which I feel isn't responsible.

        Well, how I read it is more like "Hey, we've tried notifying these turkeys a dozen times or more, and every time, they stonewalled us. I'm fed up with them, and I'm not going to waste my time any more. I'm just going right to the public release, which their history shows is the only way to get any action."

        Maybe this isn't the "responsible" thing to do, but it's certainly underst

        • I think that it would be much better to always notify the vendor (telling them when you will release) and then release as scheduled no matter what the vendor does or says. The word would soon get around and vendors would know they were working against a firm deadline.

        • Perhaps what we should suggest is starting off with a nice long "advanced notice" period with a vendor, 2 or 3 months. Each time they fail to act within that window, you decrease it slightly for the next bug you report. With time, this might stabilize on a reliable period for that vendor. Of course, this only works if you have a long-term business relationship with that vendor. In many cases, people are likely to give up long before the asymptote is reached.

          This requires an awful lot of patience and a fair

      • Re: (Score:3, Insightful)

        by Tom (822)

        We've had that discussion five years or so ago, hadn't we?

        To rehash the two most important arguments of each side:

        Pro Full Disclosure: "99% chance that the evil hackers already know about the exploits when a whitehat finds it, plus vendors don't get their lazy bums up unless there's danger in the air and the customers demand it."

        Pro "Responsible Disclosure": "Mimimi, that's sooo evil. Plus vendors will certainly fix things ASAP and work with researchers and everything will be better and I'm not being paid t

      • by dissy (172727)

        I agree, but that's not what this guy is doing. He's saying that he doesn't want to notify vendors at all, which I feel isn't responsible. I believe that you should notify the vendor and then release it in a reasonable time frame (TFA suggests 60-90 days).

        Well, you could always apply for that job :}

        You get paid nothing, to email vendors about their security flaws, and wait for a reply that will never be sent to you.

        Oh, and you aren't allowed to 'quit' this job, else we will say on the internet that you are immoral unethical and not reasonable.

        Especially after you do this for years, get not a single reply, and realize just how futile the whole process is. Definitely can not quit after that!

        Seriously, if you won't take that position for no pay and no rewards

      • by Thaelon (250687)

        What he's saying is that notifying the vendor first doesn't result in a fix at all, so why waste breath and allow the vulnerability to remain in the wild longer?

        If it's releasing them into the wild results in a faster fix, then that's what should be done. There's no such thing as security through obscurity. Whether it actually results in more damage to release it immediately without notifying the vendor than to notify the vendor and have them do nothing for six months - while during those six months, othe

    • socialized risk (Score:5, Insightful)

      by epine (68316) on Monday January 11, 2010 @04:24PM (#30727968)

      This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk. When you screw up in the auto industry, the company faces the massive expense of a product recall. That helps to keep you honest with your engineering quality.

      I personally think 30 days is a reasonable notification period. Not pleasant for the vendor to have to respond that briskly, but this isn't about being pleasant. If the vendor wants pleasant, they should invest more competence in the original product. This isn't easy, and might move a few pointy-haired managers out of the executive suite.

      Probably a more viable compromise is eight weeks. This adds a thin margin for the possibility that key zero-day SWAT staff are booked off, that multiple issues are raised concurrently, or that a product has a stupendously long build cycle.

      I would be thrilled to see an industry standard put in place where everyone knows the ethical notice period is eight weeks, period, perhaps with the odd extension on a track record of good behaviour.

      I would also like to see proprietary TCO calculations updated with a term to account for the customer disruption of having to rapidly deploy a not-tested-for-months-at-a-time critical vulnerability patch.

      Speaking of which, that whole TCO thing really bends my biscuits. It's just loaded with sly neglect of not entirely apparent costs, of which the year-long critical vulnerability update is one of the more egregious.

      During that time, your pants are down if anyone less ethical discovers the same flaw. It never happens that two scientists make the same discovery in the same year and end up in priority dispute, according to the industry of socialized risk.

      • Re: (Score:3, Insightful)

        by mcgrew (92797) *

        This is one of those issues where the instinct of any good capitalist is to privatize benefit and socialize risk.

        Sometimes I think I've been transported to Ferengenar. 95th rule of acquisition: "Exploitation starts at home".

      • What they should do is to meter out the information.

        First day: notify the software company and enter info in the database.
        -- info should include specifics, name of the program, an estimate of severity, and any info which can be released without actually revealing enough of the nature of the bug to continue.
        -- The web site should handle allowing access to the specifics after the specified time.
        -- The software vendor should be able to enter comments
        -- The software vendor should be able to request extensions t

    • "if they've contacted the vendor and the vendor hasn't patched it in a month or two"

      A month or two is not enough time.

      • Why not? Too busy? On what?

        You can have bugs, you can have additional features, you can have new projects on the table, ALL of that stuff should be second fiddle to security vulnerabilities.

        So where is the time consumption? The firm is already telling you WHERE the problem is. All it takes now is Finding a solution, testing it, and deploying it.

        If you're telling me that it takes more than 2 months to do that - I seriously doubt the actual integrity of the product they are working on.

  • Irresponsible (Score:4, Insightful)

    by DeadPixels (1391907) on Monday January 11, 2010 @04:09PM (#30727708)
    To clarify the summary, this guy isn't saying that he's not going to wait for companies to fix exploits before he releases them; he's saying he's not going to tell the companies at all. That, in my opinion, is very irresponsible. If you contact them and say you're going to release the information in 90 days regardless of their progress on a patch, fine, but to not warn them because of a few vendors who don't do their job is harmful to everyone.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Problem is that if you warn a vendor privately, they will either dismiss you outright, or get a court to sign a gag order against you in a matter of hours.

      • Re: (Score:3, Insightful)

        by haruharaharu (443975)
        Of course, these guys are in russia, so good luck with that.
        • Of course, these guys are in russia, so good luck with that.

          Of course, if the big companies that are effected felt it made business sense to do so, the fact that this group is located in Russia could make them easier to deal with. A bit of Microsoft cash slipped into the right unregistered bank account... problem solved, guys are shut up permanently.

          • It occurs to me that financing international terrorism is a bit of a step up from not fixing exploits in your software. If adobe was known to finance murder in a foreign country, just what do you think would happen?
      • Re: (Score:3, Insightful)

        by Anonymous Coward

        What court? This firm is located in Russia.

      • they will either dismiss you outright

        So, how would that change GP's process?

        get a court to sign a gag order

        Then share it with one (or a couple) trusted friends who can release it if you are unable to.

      • Problem is that if you warn a vendor privately, they will either dismiss you outright

        Then you proceed with disclosure.

        or get a court to sign a gag order against you in a matter of hours.

        Has there been a precedent for that?

        I have reported security vulnerabilities in the past, and while the fix did take longer than I expected to be reasonable, at all points I was kept notified of the current progress, and I was never "dismissed", nor did anyone threaten me with court gag orders or anything like that. What did I do wrong?

    • Re: (Score:3, Insightful)

      by Volante3192 (953645)

      The devil you don't know is less dangerous than the devil you know? Fact is, the guy says he's got holes from Real from two years ago that haven't been patched. Two years isn't enough time, now you want two years and three months?

    • Re:Irresponsible (Score:5, Insightful)

      by GameMaster (148118) on Monday January 11, 2010 @04:25PM (#30727974)

      What he seems to be saying, is that he's already told the companies and they've done nothing. A better term for it might be "effective disclosure" in order to differentiate itself from the, proven ineffective, "responsible disclosure" advocated by the industry.

  • by 0racle (667029) on Monday January 11, 2010 @04:12PM (#30727768)
    Some firm draws up a press release that they're going to drop the bomb on every piece of software they could get their hands on that is used everywhere in the world for one thing or another.

    Right, what are they selling again?
    • Re: (Score:3, Interesting)

      by paziek (1329929)

      They could be providing auditing services. Advertising to whole IT world, that they found shitload of them might just say "Hey, we can check if your apps are safe, and perhaps recommend something better if they aren't."

    • Re: (Score:3, Insightful)

      by Blakey Rat (99501)

      From the blurb in the summary, it sounds like "jackassery."

  • by Megaweapon (25185) on Monday January 11, 2010 @04:14PM (#30727790) Homepage

    "Pay attention to us, we'll disclose everything up front before everyone else! BTW, here's our products and services."

  • by gregarican (694358) on Monday January 11, 2010 @04:15PM (#30727818) Homepage

    Or is the English language dying a painful death on /. as time passes. The past day's article summaries and headlines are a blend between Yoda backing off the chronic and the broken English that some toy assembly manuals convey.

    Seriously, it took me three passes at reading this article headline to understand what the hell it meant. Maybe that's part of the entertainment value that I'm missing???

    • by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Monday January 11, 2010 @04:31PM (#30728104) Homepage

      You got stuck on the DROP DATABASE, didn't you. Happens to a lot of db developers. :P

      • by dissy (172727)

        You got stuck on the DROP DATABASE, didn't you. Happens to a lot of db developers. :P

        Poor little Bobby Tables...

    • Re: (Score:2, Informative)

      by b4dc0d3r (1268512)

      It's a high concentration of words and/or phrases having overloaded meanings. As technology develops, normal words acquire additional connotations, if not denotations. Since this is a tech-oriented news aggregator, you should select the tech connotation first, then re-parse with non-tech meanings if that fails.

      'Drop' in this case can be parsed in the sense of 'vendor drop', meaning 'deliver' or 'drop a bombshell'. Not typical usage, but not uncommon. 0-days obviously refers to vulnerabilities, and confl

    • It's the hip-hop definition of 'drop', i.e., "Yo Dre! Drop me a funky-ass bass line!"
  • by Theodore (13524) on Monday January 11, 2010 @04:22PM (#30727938)

    I welcome this.
    In ancient ages past, we put up with "It's a theoretical attack, no one could actually execute it"...
    to "group X has released a THEORETICAL working example of an attack to the public, so we fix it six months after revealing it to us"...
    to "Here is how you fail... here is how to make you fail... FAIL!!!"

    'responsible disclosure' is just wearing the nice guy badge...

    You're the only one wearing the nice guy badge.

    I'd rather see "Oh CRAP! This thing in Word is broken!" "Oh CRAP! This thing in Excell is broken!" "Oh CRAP! I went to look at a brittany spears vid and now can't move my mouse! Why is my DSL light blinking a lot?"
    And then see it fixed in a day or two (at most), rather than a month or two (if we're lucky).

  • by Anonymous Coward

    It seems only slightly less irresponsible to publicly disclose exploits without making companies aware of them than it is for companies to disregard known security flaws in their own products.

    RFPolicy struck me as the best compromise, but maybe there's room for a third-party service to hold exploit information in escrow for a defined period of time then release it. If a company knew that they had a couple of months to fix a problem at the outset, and that nothing was going to stop publication, that could p

  • While I don't blame them for releasing two year old vulnerabilities, they're going too far by not giving firms ANY TIME to fix vulnerabilities. Give them six months and then release them, but give them time. This does as great a disservice to users as those firms do by not fixing the vulnerabilities.
    • by Hatta (162192)

      So what you're saying is that we should give the black hats 6 months to freely exploit these vulnerabilities?

  • Shouldn't it be, "firm to SELECT 'Database', 'Web Server' FROM 0-Days;"?

  • Bug bounties (Score:4, Interesting)

    by zullnero (833754) on Monday January 11, 2010 @05:20PM (#30728920) Homepage
    If more firms paid bounties for bugs found (as long as responsible disclosure is followed), you'd probably see a whole lot more security researchers content to follow responsible disclosure guidelines. There's no guarantee that they'll keep that all a secret in any case, but to get the cash, you've got to sign a legal form with your company's information or be registered as a valid security analysis firm. One of the biggest issues with these security analysis firms is that there's no way to tell most of the time if it's just a bunch of criminals hiding out under a corporate umbrella, or if they're bonafide security professionals. And no jokes about them being one and the same...there's a huge difference, I've known (and in the case of those pros, I've worked with them) guys from both sides. If a security firm refuses to be registered or refuses bounties, you know there's something fishy about them and it's time to contact local authorities.

    Then again, there's the big problem with many of the bugs that outside security firms reporting being already known and in a work backlog. The realities of the industry is that capital isn't unlimited, time isn't unlimited, and sometimes, important stuff doesn't get done because you just don't have enough qualified developers to throw at the problem. Two years is fairly excessive for a security hole to sit around, but if a security firm is releasing exploits that it discovered and reported 6 months prior just because it "didn't see enough getting done", that's not being passionate about security, that's an attempt to commit extortion.
  • My eyes started to glaze over but the ecosystem seems to go like this. Researcher discovers vulnerability, sells it to companies that buy that kind of info, then reports it to the company that made the flawed software.

    One assumes that all the big anti-virus vendors buy the info from the vulnerability clearinghouse thus giving their users some measure of 0-day protection. Eventually the flawed software should be patched and all is well.

    It isn't clear in this case why the researchers care if the flaw

Wherever you go...There you are. - Buckaroo Banzai

Working...