New Approaches to Disclosure of Vulnerabilities Needed


The security vendor and service-provider fraternity should take the X-Force 2008 Midyear Trend Statistics, released this week, quite seriously. The implication of the report is that events have bypassed the industry's procedure for handling problems.


Currently, researchers who find a vulnerability provide the information to the vendors, hoping they will create a patch. After a suitable period of time, the researcher or his or her organization releases an advisory, which includes code related to the flaw.


That approach works fine in an era in which there is a significant lag between that disclosure and the time it takes bad folks to do anything with it. With automated tools, however, the period between release of the advisory and emergence of exploits has been reduced essentially to nothing. The report says 94 percent of browser-related attacks occurred within 24 hours of disclosure, making them so-called "zero-day" exploits. This guarantees that there will be many unpatched systems to attack.


The release of the X-Force report comes a few weeks after the announcement of a systemic Domain Name System flaw. The news, which was big enough to drag details of the DNS onto the The New York Times, National Public Radio and other mass-media outlets -- threatens to allow crackers to lead surfers to fake sites where all sorts of evil will befall them.


Researcher Dan Kaminsky, who found the DNS problem, didn't release details of the flaw when he announced its existence. He also asked those who did figure it out to keep quiet until The Black Hat Briefings conference, which kicks off on Saturday. He is scheduled to make details public at that point. Not everyone agreed, as is noted by this InformationWeek commentary, which, in part, details work done by Halvar Flake to replicate Kaminsky's work. Even if everyone were on the same page, the system seems a bit too informal to stand up now that vulnerabilities and their potential for profit has caught the eye of organized crime.


Today, bad guys -- including organized crime -- have access to tools that allow even the inexperienced to launch an attack. The treatment of the DNS flaw and the X-Force report lead to the same conclusion: The way in which newly discovered vulnerabilities are handled must be rethought.