Today Microsoft announced a shift in philosophy on their approach to the topic of vulnerability disclosure. Rather than referring to "Responsible Disclosure" the new framework is "Coordinated Vulnerability Disclosure" or CVD.The MSRC Blog describes CVD as follows:
Opinion:"Newly discovered vulnerabilities in hardware, software, and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves.
Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors. Each member of this community of defenders plays a role in improving the overall security of the computing ecosystem."
In my opinion, it is irresponsible for any researcher to publicly disclose the details of a vulnerability, particularly one that is not in the wild. Regardless of whether the process is called "Responsible Disclosure" or "Coordinated Vulnerability Disclosure" or whether "in the wild" or not, those who expect immediate response when a vulnerability is reported need to keep some things in mind.Edit Note:
The most important aspect of making a software change is to make one change at a time and "test, test, and test again" after each change. Even after stringent tests are conducted, to ensure the change does not "break" something else, it is necessary to translate the changes to the many supported languages -- and test yet again. I would much rather wait the extra time for the testing to be properly conducted than get buggy updates!
This, from Protection for New Malware Families Using .LNK Vulnerability, is precisely why it is my opinion that it is irresponsible by researchers to release proof-of-concept details to the public.For more detailed information regarding the tenants of CVD, please see Katie Moussouris' Ecostrat blog post, Coordinated Vulnerability Disclosure: Bringing Balance to the Force.
"What we’re seeing with the use of this new vulnerability by two other malware families is typical when an exploitable vulnerability is made public: initially, details emerge about a proof-of-concept malware or a targeted attack, then someone releases a public exploit, then the exploit gets incorporated into malware crime kits, and then we begin seeing different families using it."
References:
- MSRC Blog: Announcing Coordinated Vulnerability Disclosure
- MSRC Ecosystem Strategy Team: Coordinated Vulnerability Disclosure: Bringing Balance to the Force
- The Register: Microsoft to banish 'responsible' from disclosure debate
- (Added) MMPC: Protection for New Malware Families Using .LNK Vulnerability
Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
0 comments:
Post a Comment