Much of this discussion seems overly simplistic to me. Slammer exploited a vulnerability that was known and patched long before the exploit was released into the wild, and yet it found many systems to infect. Why? How does disclosure affect such situations? What could be done to improve?

Because my personal experience is varied I have a different perspective on these topics. Others may have differing ideas, I encourage alternative to the suggestion I offer below.

FYI, before focusing on security as a CISSP I was a software engineer for a major vendor. I have also developed critical global networked systems, and was responsible for production operations in several more or less critical environments. From that experience I think many important constituencies are ignored in the present conversation, so I hope others will join the discussion.

Dan Geer has published some statistics ("The Physics of Digital Law" cited in Gary McGraw's book "Software Security: Building Security In") that show the volume of exploits correlates closely with the volume of flaws (actually, MLOC**2, a measure of program complexity) released. The important detail is that the curves best fit when exploits lag code release by a year, accounted for by so-called diffusion delay, or the time it takes for new code to propogate into the installed base.

The point of this is that many sites do not patch immediately, for various reasons.

When I was a system manager I sometimes found patches had undesireable side effects. So I would read the patch descriptions and attempt to make an informed decision about whether I should apply the patch, and whether to do so sooner rather than later (after more or less extensive offline testing). Sometimes vendors made that difficult by obscuring details of patch effects, whether to avoid embarassment or to hinder attackers doesn't matter. So users make decisions about whether to apply patches independent of vendor information about associated exploits. And vendors obfuscate flaw details, to avoid embarassment and to foil adversaries (aversaries including competitors as well as black hat attackers). Both of these delay diffusion of patches into the installed base.

Disclosure to users seems as important as disclosure to vendors, at least from some perspectives (some vendor marketeers might disagree). Limiting disclosure in order to deny attackers information also denies defenders information, if those defenders are in the trenches instead of in vendor HQs.

Perhaps it would be useful to disclose vendor responsiveness along with vulnerabilities. Inform the vendor privately, and publicly disclose when either (a) the vendor releases a patch, or (b) after some reasonable period. Give the vendor compliments for rapid patch releases and publicly identify non-responsive situations. Such data would be valuable for customers to inform their buying decisions, and it might balance the interests between full and no disclosure.

-L. Bruce McCulley

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11400/33956#33956