Thursday, July 22, 2010

Coordinated Vulnerability Disclosure (CVD)

Today Microsoft announced a shift in philosophy on their approach to the topic of vulnerability disclosure. Rather than referring to "Responsible Disclosure" the new framework is "Coordinated Vulnerability Disclosure" or CVD.

The MSRC Blog describes CVD as follows:

"Newly discovered vulnerabilities in hardware, software, and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves.

Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors. Each member of this community of defenders plays a role in improving the overall security of the computing ecosystem."

In my opinion, it is irresponsible for any researcher to publicly disclose the details of a vulnerability, particularly one that is not in the wild. Regardless of whether the process is called "Responsible Disclosure" or "Coordinated Vulnerability Disclosure" or whether "in the wild" or not, those who expect immediate response when a vulnerability is reported need to keep some things in mind.

The most important aspect of making a software change is to make one change at a time and "test, test, and test again" after each change. Even after stringent tests are conducted, to ensure the change does not "break" something else, it is necessary to translate the changes to the many supported languages -- and test yet again. I would much rather wait the extra time for the testing to be properly conducted than get buggy updates!
Edit Note:
This, from Protection for New Malware Families Using .LNK Vulnerability, is precisely why it is my opinion that it is irresponsible by researchers to release proof-of-concept details to the public.

"What we’re seeing with the use of this new vulnerability by two other malware families is typical when an exploitable vulnerability is made public: initially, details emerge about a proof-of-concept malware or a targeted attack, then someone releases a public exploit, then the exploit gets incorporated into malware crime kits, and then we begin seeing different families using it."
For more detailed information regarding the tenants of CVD, please see Katie Moussouris' Ecostrat blog post, Coordinated Vulnerability Disclosure: Bringing Balance to the Force.


Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Backpacks - Rachel said...

I like the post with such a nice material which is much informative.


Henson S said...

What if the vulnerability is in the wild, and has been disclosed to the maker of the software--but nothing's been done about it?

I think in that edge-case that it's actually OK to post the details of the exploit. It drives awareness around the problem, and forces developers to do something.

Corrine said...

How do you know the software developers aren't doing something about the vulnerability? By publicly posting the details, the information is then broadly available to malware writers. As explained at Stuxnet, malicious .LNKs, ...and then there was Sality, this is precisely what happened when the .lnk vulnerability was irresponsibly made public:


"As with many new attack techniques, copycat attackers can act quickly to integrate new techniques. Although there have been multiple families that have picked up this vector, one in particular caught our attention this week– a family named Sality, and specifically Sality.AT. Sality is a highly virulent strain. It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security, and then download other malware. It is also a very large family—one of the most prevalent families this year. After the inclusion of the .LNK vector, the numbers of machines seeing attack attempts combining malicious .LNKs and Sality.AT soon surpassed the numbers we saw with Stuxnet. We know that it is only a matter of time before more families pick up the technique."