In Depth

Beyond Passport Vulnerabilities

Security flaws in high-profile products like Microsoft's Passport led experts and vendors to find new ways to disclose bugs

By Simson Garfinkel

Page 3

These guidelines have been agreed upon by a consortium called the Organization for Internet Safety (OIS, www.oisafety.org). The consortium includes software publishers such as Microsoft and The SCO Group and bug-hunters such as @Stake, Foundstone, Internet Security Systems and Symantec. The hope is that agreed-upon ground rules should bring stability to the hectic world of vulnerability disclosure.

The whole question of vulnerability disclosure is one that most CSOs will have to wrestle with from time to time. The most obvious reason is that a CSO needs to know when new vulnerabilities are disclosed in products that his organization is using. For this reason, it makes sense to have at least one person in your shop monitoring mailing lists such as Bugtraq and Full-Disclosure. The person should also do regular Web searches of product names and release numbers, just to keep tabs on the "chatter" surrounding your organization's infrastructure investment.

But another reason that disclosure protocols affect CSOs is that a CSO is likely to encounter security vulnerabilities as well. In these cases, the CSO needs to know what to do with this informationwhom to tell, how to tell and how to manage the flow of information.Follow Disclosure GuidelinesIt makes good sense for CSOs to be familiar with the OIS disclosure guidelines. Although nothing makes these guidelines sacrosanct, they do reflect a lot of hard work from respected people and organizations familiar with disclosure problems. If I were CSO at a major corporation, I would be hard-pressed to find a reason to implement a policy that was fundamentally different from what the OIS is proposing.

That's what my company did: Following the responsible disclosure guidelines, we contacted Microsoft. Following the guidelines, the company took us quite seriously. In fact, Microsoft said the problem was a minor configuration on one of the Passport Web servers. A few days later, the problem was fixed. We didn't get any glory, but we received a very nice box of Microsoft warm-up jackets in the mail as a kind of tangible "thank you."

It's important to remember that the disclosed vulnerabilities represent only a tiny fraction of the vulnerabilities that are in any given piece of software. Any program that's sufficiently complex will have security problems. Ultimately, what makes a security disclosure something that you need to act upon is that other people know about it. You will always have vulnerabilities. If nobody knows about them, you're relatively safe.

Isn't that a comfortable thought?