In Depth

Beyond Passport Vulnerabilities

Security flaws in high-profile products like Microsoft's Passport led experts and vendors to find new ways to disclose bugs

By Simson Garfinkel

Page 2

As the 1990s unfolded, we learned another reason why selective disclosure didn't work: Increasingly, the people who were discovering security vulnerabilities weren't part of the privileged cabal of computer security researchers and practitioners; they were students, "reformed hackers," independent consultants and even journalists. Time and again, I would hear stories of people who had sent e-mail to a company, reporting a vulnerability they had discovered and then got nothing back, not even a "thank you."

How frustrating. And, as far as the companies were concerned, how tremendously shortsighted.

Thus was born the idea of full disclosure. Mailing lists such as Bugtraq, the sole purpose of which was to allow this new breed of researchers to exchange red-hot vulnerability information, sprung into existence. Computer vendors were welcome to monitor Bugtraq to learn about vulnerabilities in their productsor in the products of their competitors. Of course, the bad guys subscribed to Bugtraq as wellso, too, did a number of highly placed journalists. Thus began the era of disclosures being published on the front page of newspapers, followed by hectic days of patch-or-be-hacked. And all too often, the important disclosures were almost invariably followed by a new round of computer worms or viruses that took advantage of the disclosures.

Disclosures that showed up on Bugtraq weren't just about new buffer overflows; sometimes the bugs were with e-commerce shopping cart softwarebugs that would allow a knowledgeable attacker to get products for free, or even to execute commands on the shopping cart's server and steal credit card numbers. The most prestige went to people who posted notices with so-called "exploit scripts," usually a small program that both demonstrated the bug and allowed an attacker to break in to the remote system.

In many cases, there was no obvious public interest served in the public disclosure. Sure, the person who found the bug got credit, but merchants relying on the products were frequently hurt. This was evident when the exploits discovered were with orphaned products made by companies that were having financial problems or had gone out of business. Yes, the merchants relying on these products need to find solutions. But widely posting such vulnerabilities probably did more harm than good.The Importance of Full DisclosureThese days the pendulum is swinging toward a middle ground called responsible disclosure. People and companies that find security vulnerabilities are supposed to notify the company in question about their discovery and start a clock. The company has 30 days to confirm the vulnerability, come up with a patch and distribute that patch to its users. If the company isn't responsive, the theory goes, then the bug hunter has not just a right but a duty to publicly disclose the vulnerability in an effort to both light a fire under the vendor and warn users.