Month of .. who?!

[This was originally published on the OSVDB blog.],00.shtml

A Month of Rixstep Bugs

It’s a win-win proposition.

Starting now and for the duration of January 2007 Rixstep will be holding a ‘Month of Rixstep Bugs’ campaign: find a bug in any Rixstep software product and win a prize.

It’s not a win-win proposition, it is a lame gimmick. After the month of apple bugs, week of (cancelled) oracle bugs, and the month of linux kernel bugs, Rixstep wants in on the bandwagon. Few small problems:

  1. They posted this announcement on the 4th, not even giving a full month.
  2. They didn’t post this to Bugtraq, Full-Disclosure, or any other security list/resource I monitor.
  3. Rixstep doesn’t have the saturation that Linux, Apple or Oracle do. It is considerably easier to test those products and platforms versus Rixstep, who many of us have never heard of, let alone seen deployed.

If you want to play with the big boys Rixstep, man up and put some of your products up on your site and post the challenge to Bugtraq and Full-Disclosure.

reply: MJR: The Vulnerability Disclosure Game: Are We More Secure?

[This was originally published on the OSVDB blog.]

The Vulnerability Disclosure Game: Are We More Secure?
By Marcus J. Ranum

Do you remember the original premise of the disclosure game? By publicly announcing vulnerabilities in products we will force the vendors to be more responsive in fixing them, and security will be better. Remember that one? Tell me, dear reader, after 10 years of flash-alerts, rushed patch cycles and zero-day attacks, do you think security has gotten better?

I know that Microsoft, Oracle and others have spent huge amounts of money improving the security of their software. Never mind the fact that 99.99 percent of the computer users in the world would rather they had spent that money making their software cheaper or faster, I suppose it’s a great thing to see that software security is being taken seriously. Security has gotten more expensive. But do you think security has gotten better?

It’s a tad ironic that the only way we could ever hope to answer this question is if the vendors practiced full-disclosure! The only way this question could be answered is to see a list of all the vulnerabilities that vendors like Microsoft or Oracle have found and fixed through in-house auditing. If they have found and fixed 1,000 vulnerabilities compared to the 250 publicly disclosed (arbitrary numbers), then yes, security has gotten better. Right? If software is shipping with less vulnerabilities per lines of code, then security has improved, and the “we’ll force your hand” crowd had something to do with it.

If twenty years of brutal full disclosure really did teach them the importance of security by forcing them to spend considerable money on said security, then didn’t those wily “we’ll force your hand” folks in the 90’s do what they claimed, although a little differently than planned?

reply: Microsoft: Responsible Vulnerability Disclosure Protects Users

[This was originally published on the OSVDB blog.]

Microsoft: Responsible Vulnerability Disclosure Protects Users
By Mark Miller, Director, Microsoft Security Response Center

Responsible disclosure, reporting a vulnerability directly to the vendor and allowing sufficient time to produce an update, benefits the users and everyone else in the security ecosystem by providing the most comprehensive and highest-quality security update possible.

Provided “sufficient time” doesn’t drag out too long, else the computer criminal (who are in the ‘security ecosystem’) benefit greatly from responsible disclosure too.

From my experience helping customers digest and respond to full disclosure reports, I can tell you that responsible disclosure, while not perfect, doesn’t increase risk as full disclosure can.

Except “your experience” wouldn’t take full disclosure cases into account appropriately. Look at some of the vulnerabilities reported in Windows, Real, Novell and other big vendors. Notice that in more and more cases, we’re seeing the vendor acknowledge multiple researchers who found the issues independantly. That is proof that multiple people know about vulnerabilities pre-disclosure, be it full or responsible. If a computer criminal has such vulnerability information that remains unpatched for a year due to the vendor producing “the most comprehensive and highest-quality security update possible”, then the risk is far worse than the responsible disclosure your experience encompasses.

Vendors only take these shortcuts because we have to, knowing that once vulnerability details are published the time to exploit can be exceedingly short-many times in the range of days or hours.

See above, the bolded “proof” I mention. If vendors are going to move along with their head in the sand, pretending that there is a single person with the vulnerability or exploit details, and pretending that they alone control the disclosure, the vendors are naive beyond imagination.

The security researcher community is an integral part of this change, with Microsoft products experiencing approximately 75 percent responsible disclosure.

I’d love to see the chart showing issues in Microsoft products (as listed in OSVDB), relevant dates (disclosed to vendor, patch date, public disclosure) and the resulting statistics. My gut says it would be less than 75%.

Bogus RFI Reports Getting Out of Hand

[This was originally published on the OSVDB blog.]

I know we’re all getting tired of the Remote File Inclusion (RFI) vulnerabilities being disclosed that end up being debunked, but this one takes the cake so far (yes I’m behind on e-mail).

Fri Jun 16 2006
(1) path/action.php, and to files in path/nucleus including (2) media.php, (3) /xmlrpc/server.php, and (4) /xmlrpc/

Sat Jun 17 2006
Demonstrated that the vulnerability is bogus.

Mon Oct 30 2006

Mon Oct 30 2006
Demonstrated (again) that the vulnerability is bogus.

So not only is it fake, it was also previously disclosed and debunked. I swear, Bugtraq moderators should seriously consider blocking any RFI disclosure from Would save Vulnerability Databases a lot of time.