You told the vendor, they ignored you. If someone broke into a cancer research centre tomorrow, using your unreleased "bug" and deleted all the files - how would you feel? Ethics indicates that in order to protect users, public disclosure (full or limited) is the only remaining way to protect users - either because the don't use the product, or because the vendor fixes it due to public pressure. In short, it's time to blow the whistle. Dom PS. Bearing in mind what Bill G said today about security of MS products, it's clear that he's keen to all security problems to come into the light. That's how I read it, anyway.... :-) |-----Original Message----- |From: Josha Bronson [mailto:dmuzat_private] |Sent: Thursday, January 17, 2002 3:01 AM |To: vuln-devat_private |Subject: Complicated Disclosure Scenario | | |Greetings fellow security folk, | |I would like to gather some opinions on a not so theoretical |disclosure scenario. Please for the sake of focused |discussion keep your replies related to the specific scenario |that I am proposing and not alternate opinions on disclosure |in general. | |The situation is thus. I have discovered a bug in a major |software vendors application. Initially the bug presented |itself as a way to crash the application, i.e. a DoS |condition. Upon further research I determined that I was able |to overwrite some return addresses by formating the overflow |in a specific way. As we all know this means that there is |the possibility that this could allow code to be executed on |the remote system. | |At this point I contacted the vendor to alert them to the |existence of this problem. After exchanging multiple emails, |in which I tediously outlined the DoS condition and |*potential* exploit situation I was told that they would wait |until I determined if code could be exploited before they |began creating an advisory or even working on a patch. | |I informed this vendor, who is by no means short on |resources, that I might not be able to successfully make that |determination due to constraints on my time (after all I do |this for fun) and ability, as this problem exists on an |architecture that I have very little experience with. | |I encouraged the vendor to begin their own investigation. |They ignored this, and again stated that they would await my results. | |This is the problem as it sits. If I reach out to "the |community" for additional assistance with researching this |bug I might as well just send out an advisory. If I release |an advisory the vendor will most likely not have a patch |ready, they will feel violated and the user base will be left |open to exploitation with no fix. If I do nothing, the |problem persists and nothing gets accomplished, and maybe |someone with not so good intentions discovers the same bug |and uses it to do harm. | |So, what would you do? | |-- |Josha Bronson |dmuzat_private |AngryPacket Security |
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 13:06:11 PST