Last week, a security researcher published a "zero-day vulnerability" regarding a specific CCTV control server (although you can hardly call something that can be accessed through Google "zero day"). Expected fire from the CCTV vendor did not fail to arrive shortly after the disclosure.
This is no longer an isloated incident but rather a growing trend in this past year. I am seeing more and more "full disclosures" prior to vendor patching. Believing that this is indeed becoming a trend, I had to give it a second thought. The only thing I came up with is that this is a strong counter-reaction to practices that have been established in recent years.
After a wild "full disclosure" period in the early 2000s, researchers and mainstream mailing-lists have agreed to take the path of responsible disclosure. However, this evolved into a situation in which hardly any details are given for any vulnerability (even after a vendor patch is released) and vulnerabilities reported to vendors remain undisclosed to users for years!
Don't get me wrong - I am completely against irresponsible disclosure, but taking the POV of a researcher, this is extremely frustrating. Having personally discovered more than a handful of vulenrabilities and reporting them to vendors, I have found out that some vendors are so devoted to responsible disclosure that they don't bother to get back to you with status updates on the vulnerability or even send a notification of when the vulnerability has been patched (if at all). Even more troublesome, some (well established) vendors do not even have the proper procedures in place for vulnerability management (at least when it comes to some of their products). Not mentioning names, but a critical vulnerability we found 2 years ago in a commercial database software has not received any attention except for some initial acknowledgment. Needless to say,at least two versions released by the vendor since then are still vulnerable.
Actually, the frustration security researchers feel is not even secret - it is shouted out and written on the walls (or rather mailing lists). A recent example is Kevin Finisterre's disclosed zero-day vulnerability regarding SCADA systems. He published the vulnerability only after the software vendor downplayed its criticality. I noticed an article a week later where the vendor actually removed that previous advisory and replaced it with one explaining the severity of the bug!
Speaking of SCADA systems, I'm happy that hackers were only able to deface the Large Hadron Collider Web site last week. I would be terified to think what would happen had they hacked into the control system itself, starting up a control sequence that would eventually generate cosmic black holes that would swallow us all in what will be recorded as the most notable hacking incident in the Univerese. It would be one great leap to humanity the physicists did not consider!
Amichai
Leave a comment