Vuln Dev
Re: Vulnerability Disclosure Jun 07 2007 12:21PM
Jonathan Leffler (jleffler us ibm com) (1 replies)
Matthew Steer <matt.steer (at) marstons.co (dot) uk [email concealed]> wrote:
> I have been playing around with a program and have discovered a bug
> that I have successfully leveraged into code execution. I reported
> my findings to the vendor, not yet receiving a reply; this is the
> first time I have done this.
>
> The bug is in an installer and malicious input is crafted then
> pasted into an input field which is copied into a buffer of
> insufficient size. The conditions of the exploit seem a little
> extreme to me, but it still results in code execution.
>
> The fact that it is in an installer, hence most likely requiring
> Admin rights, and is a local exploit the risk of this vulnerability
> being exploited seems low (too me, not being a risk assessor!) .
>
> This brings me to my question;
>
> Should all vulnerabilities be disclosed to a vendor (at least!)
> however high or low risk?
>
> I?ve never been a believer in ?Security through Obscurity?, but do
> the people think there comes a point when it may just be a waste of
time?
>
> To be honest; I hope not!

Can we check my understanding of your situation?

We have a Windows program installer - or is it Unix?
And the person running the install needs elevated privileges to run the
install.
And, using the elevated privileges needed for the install, that user can
trick the installer into doing something other than the intended install?

Wouldn't the person be able to do those things anyway? So, is there an
actual risk of exploitation by someone unauthorized? If the person
installing has the privileges to abuse their system and then subverts an
installer into abusing their system, how much of a problem is it really?

...change of tack...

Speaking from the receiving end of such reports, yes, all (real)
vulnerabilities should be reported.
And all reported vulnerabilities should be acknowledged - at least that it
was received, and preferably that it was evaluated, understood, and proven
correct or incorrect and what, if anything, will be done about it. Which
may take more than one response email, over a period of days to months.
The initial response should be timely - within a week, say. After that,
it depends. And it may be that it is not really worth fixing this
particular problem - though it isn't a decision to be made lightly.

One major problem is knowing whether the report got through to someone
able to asses and understand it.
And another is knowing how many other reports were received the same day
(were the people receiving the reports completely overloaded).
And another is knowing whether the version you found the problem in is
current, and indeed whether the problem reproduces in the current version.
However, and again speaking from experience, many of the problems found in
old versions also manifest themselves in new versions.

--
Jonathan Leffler (jleffler (at) us.ibm (dot) com [email concealed])
STSM, Informix Database Engineering, IBM Information Management Division
4100 Bohannon Drive, Menlo Park, CA 94025-1013
Tel: +1 650-926-6921 Tie-Line: 630-6921
"I don't suffer from insanity; I enjoy every minute of it!"

[ reply ]
Re: Vulnerability Disclosure Jun 08 2007 05:10PM
Valdis Kletnieks vt edu (2 replies)
Re: Vulnerability Disclosure Jun 16 2007 07:36PM
Lincoln Yeoh (lyeoh pop jaring my)
Re: Vulnerability Disclosure Jun 08 2007 05:33PM
Jonathan Leffler (jleffler us ibm com)


 

Privacy Statement
Copyright 2010, SecurityFocus