Mozilla: Hackers control bug disclosure

WASHINGTON--Software makers are at the mercy of bug hunters when it comes to flaw disclosure, Mozilla's security chief said Saturday.

The software industry for years has pushed guidelines for vulnerability disclosure. Those "responsible disclosure" efforts have had some effect, but security researchers maintain control over the process, Mozilla Security Chief Window Snyder said in a panel discussion at the ShmooCon hacker event here.

"The researcher has all the power," Snyder said. "They control when they disclose it, and they control the idea whether or not the vendor responds in time."

Releasing vulnerability details has been hot topic for years. The software industry advocates private disclosure of a bug and time to fix it before a researcher goes public, a practice the industry calls responsible disclosure. After all, early release could help criminals to launch cyberattacks and damage a vendor's reputation.

Security researchers who follow the industry's guidelines are often frustrated by a lack of response from software makers. Another frequent point of criticism is the time it takes for a fix to be released and for the researcher to get credit in a security alert.

"Vendors have a real responsibility to respond to what's reported to them," said Snyder, who previously worked at Microsoft.

But not everyone buys into responsible disclosure. It is a trap set by software makers, said panel member Dave Aitel, of security software firm Immunity. "Responsible disclosure is a marketing term," he said. "Responsible disclosure plays into the hands of Microsoft and other big vendors...they are trying to control the process."

Instead of disclosing a flaw to the vendor, Aitel wants bug hunters to sell vulnerability information to him. Immunity pays bug hunters for details on security vulnerabilities and uses those in his company's products, which include penetration-testing tools that can be used to break into computers and networks.

Chris Wysopal, CTO and founder of security review company Veracode, disagreed that bug hunters are always in charge. "We see a lot of threats," he said. "Being on the receiving end of legal threats isn't an easy thing."

If a company unleashes its legal wrath onto a security researcher, then that's an example of a company that doesn't know what it is doing, said Rohit Dhamankar, manager of security research at TippingPoint, a seller of intrusion prevention products.

"There are sophisticated vendors like Mozilla and Microsoft, and there are vendors who have no clue about good process," Dhamankar said. TippingPoint, which also pays security researchers for bugs, was threatened with a lawsuit recently by a Web portal software maker, he said.

To gain a competitive advantage over rivals, companies such as Immunity and TippingPoint pay bug hunters for flaws. By purchasing bug information, their products can detect problems before any other product can and before an official patch is available.

Ultimately, flaws don't get fixed without public disclosure, Wysopal said. "The responsible thing is to send it to the vendor, but then you get stuck with the vendor not doing anything about it if there isn't the threat that it will be publicly disclosed," he said. "Public disclosure is the only way to actually get things fixed."

Mozilla's Snyder said 30 days is a good timeframe to give a software maker to come up with a fix and called on bug hunters to follow responsible disclosure guidelines.

"I appreciate the work that's going on and I appreciate a little heads up before the whole world finds out (about a security vulnerability)...I would appreciate 30 days, but I will take what I can get."

[n3td3v]

responsible hacking

hackers need to be in control of the situation, that is the fun-da-mental of hacking in the first place.<br /><br />responsible disclosure only comes if behind the scenes there has been polite conversation between both parties.<br /><br />if the vendor decides a vulnerability isn't as important as the hacker thinks it is, then you have a problem.<br /><br />not only should the hacker be in control but the hacker should be able to have his bug prioritized by his judgement and not that of the vendor.<br /><br />as soon as the vendor starts rearranging the importance of when a bug should be fixed then you have a problem.<br /><br />the hacker is going to go onto mailing lists and up the ante on the vendor to upgrade the importance of a bug.<br /><br />if you want responsible disclosure then the vendor needs to think carefully how to treat hackers when an e-mail arrives.<br /><br />should we say nothing to the hacker because we're a big bold multi billion dollar corporation and fix the bug when we feel like it? or should we have back and forward dialog to make sure the hacker is happy? <br /><br />and then (if you do decide to have back and forward dialog) for that reason the hacker will be more than happy to follow that corporations responsible disclosure policy and not risk the nightmare of full disclosure before a patch has been rolled out internationally.

[gmcaloon--2008]

Hackers in Control?

Hackers are not and should never be in control of the situation. Hackers are the problem, not the solution. <br /><br />The biggest problem is hacker hubris, the belief dictated by their egos that the security holes they find in OSes are critical and should be acknowledged as such by the software vendor and if the vendor doesn?t release a patch almost instantly, the hacker believes he has the right, even the duty, to go public ? thereby alerting every other hacker to have a go at attacking the software. That is totally irresponsible, particularly when the exploit is of the kind wherein the user must be inveigled somehow to go to a malicious web site expressly created to contain the exploit. That kind of exploit is not of critical concern to the software vendor and merits low priority in putting together a patch. Naturally the hacker thinks otherwise, his ego is offended and he goes public. <br /><br />The situation is made even worse by some security outfits that pay hackers for every bug they can find, thus encouraging hackers to look for vulnerabilities in software. The hackers and some in the security business have a rather nice thing going for themselves insofar as they interact with each other, each encouraging the other. <br /><br />The obvious solution to this ongoing idiocy is to put hackers out of business. Not an easy thing to do, but mandating prison time might be a starter. There are other solutions, difficult and expensive, that the vendors could implement. Unfortunately it would be at considerable cost to themselves necessitating a major rewrite of their software to detect and prevent any action that the software does not explicitly authorize. This would eliminate simply writing software to accomplish a certain task and leaving it to third parties to try to find out if it can be hacked. I won?t hold my breath waiting for that to happen however.

[Phillep_H]

Importance of bug

&gt; if the vendor decides a vulnerability isn't as<br />&gt; important as the hacker thinks it is, then you<br />&gt; have a problem. <br /><br />Just who do these lowly hackers think they are, arguing the importance of the bugs? If the vendor ignores the bug, then there is obviously no danger to it being released. Right?

[Gayle Edwards]

The Cold-Hard Reality...

The simple fact is that MANY businesses (especially, the biggest technology corporations) HAVE PROVEN that, as often as not, they WILL IGNORE, or even HIDE, any problem, that they think they can... unless literally forced to deal with it (look at Microsoft, the largest software-corporation in the world... they have a decades-long history of, actually, simply claiming "serious problems" dont even exist... until they were literally clubbed over the head with them... by the "media" and other forms of "public disclosure").<br /><br />This is just a sad reality of modern business-behavior. In fact, this is actually a very-basic element of human-nature. There are other terms for this problem; "denial", "self-interest", "laziness", "arrogance", and "greed". But, as long as any form of externally-imposed "secrecy" is allowed... and as long as it provides any benefit to those that can exploit such "ignorance"... any form of restriction of such "free expression" -will- inevitably cause HARM to the "consumer".<br /><br />This basic philosophy; -a little knowledge can be dangerous... but imposed ignorance is far, far, worse-... is, in fact, the very foundation of the American ideal of "Freedom of Speech". Our "Founding Fathers" were, very painfully, forced to acknowledge that controlling information, IS the single greatest power that the corrupt can possess... and that, "self-interest" is one of the most corrupting influences within the sphere of human-experience.<br /><br />So-called, "responsible disclosure" (and "penalties" that could be used to enforce it), appears to me to be little more than another attempt to forcibly control the vital-information which consumers absolutely MUST have access to, in order to protect themselves and make sound decisions... regarding both "the bad-guys", AND the business-entities that would benefit from such FORCIBLY-IMPOSED ignorance.<br /><br />This is especially driven home by recognizing, just who are the biggest proponents (and, potentially, beneficiaries) of this, self-styled, "responsible disclosure".<br /><br />In short, it would be nice if such "vulnerabilities" were only disseminated in a "responsible manner"... But, the FACT is that "the bad-guys" WILL have access to such information, whether "the public" is informed, or not. And, overall, giving companies that produce FLAWED-PRODUCTS, the power to "silence" those that find such flaws, ...is, frankly, a far more worrisome prospect, to me.

[ozidigga]

Sure but who cares

Sure there are bugs in Mozilla, there aren't any programs which are bug free. Difference between Firefox and IE is that a Bug in Firefox doesn't compromise the entire Operating System like IE bugs do. Also Mozilla release updates for their web-browser more often than Microsoft release updates for IE

[gmcaloon--2008]

Some Do Care.

IE bugs can reach farther down into the OS because it is integrated into the OS. Firefox cannot do so because as a third party application it is not allowed such deep access. At that, few hacks are written that can penetrate that deeply into IE and so few do. <br /><br />However, that makes little difference in that because both browser?s security holes can allow bugs into the system both can cause considerable damage ? and that is the important point. <br /><br />That Mozilla releases the bug fixes more often that Microsoft does is partly because Firefox has more vulnerabilities that IE does and also because Microsoft has been under considerable pressure from the business IT sector to release patches on a set schedule so that IT departments are not bombarded with frequent patches that have to be loaded into hundreds, thousands, of computers. With so small a market share, particularly in large enterprises, Mozilla doesn't face that pressure. It can and does release fixes whenever it suits their schedule. Microsoft used to do the same.

[Dragon Forge]

Not ms 'bashing', putting the concerns where they belong

Of course it would be out of the question for ms to pay good rewards for bugs that are 'discovered'. I mean it is not like the system is so complicated and convoluted that it would be difficult for ms to do it by themselves, so there is no need to employ the brightest brains to fill in where they are woefuly inadequate.<br /><br />No their money is better spent making PR contributions and lobbying efforts, for their inteliigence resources looking after how to try and market-out more market share, and focus of ignoring and hoping it will go away.<br /><br />Responsible disclosure!! HAH! ! If you are stupid enough to offer up your halfbaked product to the public, you can not possibly dismiss yourself from the problems and responsibilities of its inadequacies.

[wbenton]

Could means what?

&gt;&gt;&gt;early release "COULD" help criminals to launch cyberattacks and damage a vendor's reputation.&lt;&lt;&lt;<br /><br />Maybe, perhaps, possibly, might.<br /><br />And now what about the other part of the MORE important question.<br /><br />Cannot the creation of vulnerable software damage a vendor's reputation?<br /><br />Don't shoot the messenger... they're just bringing the message. It's the developer of the flawed software who "SHOULD" be held responsible.<br /><br />Notice I capitalized the word "SHOULD" because that matches with "COULD" and means about the same.<br /><br />Microsoft should be held responsible for every flaw found in their software.<br /><br />The hackers DID NOT write the code... Microsoft Engineers DID!<br /><br />If Microsoft's code were solid in the way it was written, the chances of so many flaws occuring would be drastically reduced.<br /><br />Now back to the story...<br /><br />The hackers (note there are good and bad ones) are usually aware of the bug before the manufacturer.<br /><br />Good ones report their findings to the manufacturer in hopes the manufacturer will come out with a timely patch.<br /><br />But corporations like Microsoft have time and again, slept on those notifications to such a length of time (6 months to several years) that the good guys are getting fed up with reporting them only to find Microsoft is so reluctant to patch.<br /><br />On top of that, Microsoft, even after notified of a specific flaw, still takes their time and has their own people probe to see whether the flaw the hackers found is in fact a hack or not.<br /><br />Finally, once Microsoft's engineers have confirmed in fact that the hackers were correct all along... the hackers already knew it thought... Microsoft just postponed until their engineers could confirm it... Microsoft still postpones the fix until the next month's regularly scheduled update even for critical flaws unless the industry presses them beyond the point which they can postpone further.<br /><br />So as far as the &gt;&gt;&gt;early release could help criminals to launch cyberattacks and damage a vendor's reputation.&lt;&lt;&lt;<br /><br />I think the manufacturer's code, the manufacturer's actions taken after notification of the flaw, and the speed at which the manufacturer patches that flaw MUCH MORE important to a vendor's reputation than any early disclosure by a good hacker.<br /><br />However, none of these seem to have any affect on Microsoft what so ever... but that SHOULDN'T BE the case!<br /><br />We MUST NOT LET Microsoft continue to get away with their lax security policy after they've been claiming for years that they're working on strengthening their security!!!<br /><br />Until they do as they say... I think the world should continue to breath down their throats and hold them responsible for their own sloppy security-weak spaghetti code!!!<br /><br />FWIW