A couple of weeks ago, a hacker published a 0-day exploit for a critical buffer overflow vulnerability in one of Oracle's web server products (formerly a BEA product). As a security researcher, every so often I address the topic of full disclosure and responsible disclosure and how they co-relate.
The above mentioned buffer overflow exploit is one of those ugly examples of irresponsible full disclosure where an individual publishes to the public an exploit before the vendor has a chance to review the information and release an advisory suggesting work arounds or patches. Timing seems to me not coincidental, since the Oracle quarterly CPU was released only days before the exploit became public.
I object to any such kind of irresponsible behavior. And yet, as the security community knows only too well, such actions are inevitable. Which is why we need to stress that application security should not be based solely on patching and infrastructure hardening but also on dedicated security solutions. In particular, this recently exploited vulnerability is mitigated, by default by most web application firewalls. Therefore, organizations relying on this type of security technology find themselves protected long before any vendor patch is available.
I cannot discuss disclosure policies and behavior without mentioned the much hyped DNS vulnerability found by Dan Kaminsky. I find all these frenzies surrounding the bug (media, the security community, and practically the whole world...) quite strange. Kaminsky attempted to disclose the flaw in a responsible manner, and in fact he worked with the major IT providers in this regard. However, the fact that he proceeded to make claims in public about the existence of a flaw, effectively brought the early announcement of the vulnerability and ultimately its full disclosure by another researcher.
- Amichai
Leave a comment