BERLIN–Just whispering the words “vulnerability disclosure” within earshot of a security researcher or vendor security response team members can put you in fear for your life these days. The debate is so old and worn out that there is virtually nothing new left to say or chew on at this point. However, the question of when to disclose that a given vulnerability is being exploited in the wild is an entirely different one.
Regardless of which sect or splinter cell you belong to in the disclosure debate, for most people it all comes down to finding the most effective way to get a fix published and in the hands of users as quickly as possible. That could mean coordinated disclosure with the vendor or full disclosure on a public mailing list or something in between. But the lines get a little blurry when the discussion veers into the appropriate moment to tell the public that a given vulnerability is being actively exploited. It may seem obvious that users should be told as soon as possible, giving them the best chance at defending themselves or their networks. But there are many other factors in play, mainly the fact that alerting users also will wake up the attacker community.
That’s no small consideration, especially when it concerns a vulnerability in a widely deployed application such as Internet Explorer, Adobe Flash or Java. Researchers from Microsoft and Lancope looked at public exploitation notifications in a handful of major cases from the last few years and found that, as with many things in life, timing is everything.
“Exploitation disclosure is a good thing at any time, but the question is when and can it cause problems?” said Tom Cross of Lancope, who, along with Holly Stewart of Microsoft, gave a talk on the topic at the Virus Bulletin 2013 conference here Wednesday.
One of the cases the pair examined was the Windows Help and Support Center CVE-2010-1885 vulnerability. That bug was disclosed publicly on the Full Disclosure mailing list in June 2010 and the original disclosure included a proof-of-concept exploit. Not long afterward, the exploit was integrated into some attack toolkits and attacks against the vulnerability spiked. In other cases, researchers have gone through the coordinated disclosure process, working with vendors to get a fix ready before announcing the bug, and once the announcement is made, exploitation attempts will immediately increase as attackers pull apart the patch to find the bug behind it.
Not unlike the dreaded disclosure debate, the decision on when to notify users of exploitation attempts depends upon a number of factors. If a vulnerability is particularly severe and there are ongoing, widespread attacks against, the vendor may well choose to notify users even if there’s no patch available. On the other hand, if the attacks are targeted and relatively spotty and the vendor has no workaround ready, it may decide to hold off on notification.
“If there’s nothing you can tell the users to do, there’s not a lot of point in disclosing the exploits,” he said. “It depends on the level of exploitation, the geographic distribution, is a patch available, when will it be if it’s not. If the answer is to tell people not to use a piece of software that’s necessary to do business, the reality is that’s not going to happen.”
It’s also true that the decision is not always solely in the hands of the vendor or even the researcher who discovered the vulnerability. In some cases, a third party security company may notice exploit attempts against a previously unknown vulnerability and take the step of notifying customers.
“There is no one answer,” Cross said.