Digg this story   Add to del.icio.us  
Mozilla's 'Code of Silence' Isn't
Jon Lasser, 2002-10-09

Developers are accused of not publicizing the browser's security vulnerabilities enough. But do we really need world wide alerts for every bug?

Is the Mozilla project covering up security holes in its open-source browser?

That seems to be the accusation in a recent note to Bugtraq, in which security researcher Thor Larholm publicized a list of bugs in Mozilla 1.0. The bugs weren't exactly a secret to begin with -- the list itself came from the Mozilla Web site. And they're all fixed in version 1.0.1. But Larholm's post hints darkly that the Mozilla organization should stop "hiding the fact that Mozilla, like most any other software product, has had and will have a long number of security vulnerabilities."

The group has an obligation to publicize the bugs more thoroughly "so that the secinfo industry and the public in general becomes aware of these," Larholm wrote.

I disagree. In fact, I believe we're already getting far more information on security weaknesses than we need, and the accompanying hype that permeates computer security is itself harmful to security.

Consider Mozilla. Few if any of the bugs in 1.0 are serious enough to warrant a blow-by-blow breakdown in front of the general public. They are serious enough that third-party distributors of Mozilla, such as Red Hat, properly issued updated packages, but they fall below a threshold that requires informing the general public of the gory details.

The fact is, the details are possibly relevant to developers with products based on Mozilla, and to some in the information security community; to the rest of the world, only the fact that security holes in 1.0 have been fixed in 1.0.1 is relevant.

The service security researchers provide is critical -- without them, most bugs would remain hidden from the average user for even longer than they currently do. But I believe security researchers should more carefully consider the appropriate audience for their discoveries or claims. Shotgun announcements to the whole world lower the signal-to-noise ratio and make it more difficult for even the most conscientious user to find what they need to find.

Sometimes even well-meaning researchers generate more heat than light.

When someone discovers what he or she believes to be a bug and reports it, that report will circulate far and wide, even if the researcher later retracts or reassess it. Countless "PGP has weak and broken encryption" rumors can doubtless be traced back to the homegrown symmetric cipher that Phil Zimmermann used in version 1.0, and which thankfully hasn't been seen since then. Killing a rumor is difficult; if the rumor was once true, it may be impossible to kill.

How Many Holes?
The press, whose job it should be to help users sort out what they need, frequently cause as many difficulties as they solve. A case in point is a piece on Vnunet which claims that there have already been 485 Linux security bugs this year.

By any reasonable measure, this number is wildly inflated: by my count, Debian has released 76 security alerts this year; Red Hat's version 7.2 (their version available on January 1st of this year) counts 69 alerts so far this year. By comparison, the same article claims 202 alerts for Microsoft Windows in 2002.

As the methodology of the cited count is nowhere to be found, one can only presume (as does a piece on Linux Weekly News) that all security alerts for all Linux distributions have been added together, causing the same bug to be counted as many as five times. Or perhaps bugs for all packages that can run on Linux have been added to the total, regardless of whether or not any distribution actually ships the package.

Of course the number of alerts regarding a package is not a measure of its actual security when deployed in the field; I doubt that any of the Mozilla bugs have actually been exploited to the detriment of real users or systems. Which is not to say that they shouldn't be fixed, or reported. As always, judgment is everything.

Unfortunately, users have few useful aids to judgment: the volume of researcher reports is just too great for the average user to pay attention, and the press' reporting is less-than helpful. In addition to those inflated vulnerability accounts, the Vnunet report provides no guidance for addressing potential or actual vulnerabilities.

The flow of useless information has even slogged down vendor security announcement mailing lists. While most Linux distributions promptly develop and release fixed packages, commercial Unix vendors can be comically slow in acknowledging and repairing vulnerable packages. It is worth recalling that full-disclosure security mailing lists such as Bugtraq were conceived of as a challenge to unresponsive vendors. But those forums are now weighted down with alerts of interest to only a few readers.

All this leaves users in the dark, with insecure systems and few trustworthy sources for information on exactly what they can do to secure them. Unless, of course, you trust the vendors without reservation. In short, I'm still a proponent of full disclosure, but I'm beginning to wonder if it does anything to improve the security of the average system. Can anyone convince me that there's hope?



SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:
Cool a unix/lenix guy preaching the same stuff as M$crud 2002-10-09
Twinker (3 replies)
Cool a unix/lenix guy preaching the same stuff as M$crud 2002-10-09
Rob John <rdrj@mindspring.com> (2 replies)
My point was.... 2002-10-10
Twinker (1 replies)
Nothing's hidden 2002-10-15
Anonymous (1 replies)
Nothing's hidden 2002-10-15
Karl
Mozilla's 'Code of Silence' Isn't 2002-10-09
Chad Loder
Mozilla's 'Code of Silence' Isn't 2002-10-10
Jon Lasser (2 replies)
Mozilla's 'Code of Silence' Isn't 2002-10-16
Serge Wroclawski
Mozilla's 'Code of Silence' Isn't 2002-10-10
Anonymous
Mozilla's 'Code of Silence' Isn't 2002-10-10
Twinker (2 replies)
Mozilla's 'Code of Silence' Isn't 2002-10-11
XandreX (1 replies)
Mozilla's 'Code of Silence' Isn't 2002-10-11
Anonymous (2 replies)
Mozilla's 'Code of Silence' Isn't 2002-10-14
Anonymous
Mozilla's 'Code of Silence' Isn't 2002-10-15
Anonymous
Mozilla's 'Code of Silence' Isn't 2002-10-12
Anonymous
Mozilla's 'Code of Silence' Isn't 2002-10-12
Anonymous
Practice what you preach 2002-10-13
Anonymous
Mozilla's 'Code of Silence' Isn't 2002-10-13
Anonymous
Mozilla's 'Code of Silence' Isn't 2002-10-16
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus