This week brought us the rare double rainbow of a re-emergence of the disclosure discussion and major security news from Microsoft, all wrapped into one. It truly was a gift from Mother Nature. But Microsoft’s decision to change its disclosure stance–and refusal to pay bug bounties–wasn’t the only big news. The Stuxnet saga continued to widen and weirden, a major privacy leak cropped up in Safari and the roots of the mass SQL injection attacks were exposed. What does it all mean? Read on for the full week in review.
It’s been quite a while since Microsoft made any major news in the security world, but when they go, they go big, and this week was a prime example. On Thursday Microsoft announced that it was shifting to a new coordinated vulnerability disclosure policy, which, when you read all the way through it, isn’t necessarily that new. It’s just new to Microsoft. The major change in the CVD policy is that Microsoft conceded that there may be some instances when it’s necessary for a researcher to release details of a vulnerability before a patch is available. “If
attacks are underway in the wild, earlier public vulnerability details
disclosure can occur with both the finder and vendor working together as
closely as possible to provide consistent messaging and guidance to
customers to protect themselves,” said Matt Thomlinson, general manager of Microsoft’s Trustworthy Computing group.
That’s a significant change for Microsoft, which has consistently discouraged researchers from releasing vulnerability details ahead of a patch release, and the company has sometimes publicly scolded researchers for doing so. Microsoft still clearly isn’t interested in seeing that happen very often, but the acknowledgement from Redmond that releasing flaw details may sometimes actually help customers is a major concession. “For finders who still believe that Full Disclosure is the best way to
protect users, we respectfully disagree, but we still want to work with
you if you’re willing. We’d encourage folks who support FD to still
contact us, as we can then attempt to coordinate release of information
with protections that are available. Of course, we still don’t think
this is the best method, because the vast majority of customers will
only be protected with an update – but we believe that even this level
of coordination is definitely better than none at all,” Microsoft’s Katie Moussouris wrote in a blog post.
But Microsoft wasn’t done yet. Later in the day, news broke that Microsoft would not pay bug bounties to researchers who find vulnerabilities in the company’s products. Rumors had been making the rounds in the last week or so that the company would follow the actions of Mozilla and Google, who both raised their bug bounties in the last week. Researchers have been pressuring other vendors, mainly Microsoft, Adobe and Apple, to pay for bugs as well, but Redmond was having none of it. “We value the researcher ecosystem, and show that in a variety of ways,
but we don’t think paying a per-vuln bounty is the best way. Especially
when across the researcher community the motivations aren’t always
financial. It is well-known that we acknowledge researcher’s
contributions in our bulletins when a researcher has coordinated the
release of vulnerability details with the release of a security update,”
Microsoft’s Jerry Bryant said in an email.
But who needs zero days anyway when you have SQL injection? Mass compromises of legitimate Web sites have been a serious problem for a couple of years now, and this week I took a look at the origins of the epidemic and found that it boils down to two relatively simple issues: really, really bad applications and a lack of quality testing of those apps. Web apps are cobbled together, using code from any number of sources and the same mistakes are repeated over and over again. “It’s a huge problem. Web app developers really don’t care about
security unless it’s tied to their bottom line, and it’s not,” said
Jeremiah Grossman, CTO of application security firm WhiteHat Security.
“Developers who know how to write code securely don’t get new jobs
because of that skill. They do what they know how to do. They’re taking
libraries from all kinds of different places, code is outsourced, it’s
written in-house, it’s revamped. It really does sound like the desktop
world 15 years ago.” That’s not a compliment.
Also not a compliment is the body blow delivered by Grossman to the security of Apple’s Safari browser this week, when he identified a serious privacy leak in Safari. The weakness involves the way that Safari’s AutoFill feature handles input from users and helps complete words or phrases they’re typing into the browser. “Right at the moment a Safari user visits a website, even if they’ve
never been there before or entered any personal information, a malicious
website can uncover their first name, last name, work place, city,
state, and email address,” Grossman explained in a blog post. This is sub-optimal, as is the response from Apple, whom Grossman said he contacted two separate times about the flaw and got nothing but one auto-response back. He’ll be detailing the problem at Black Hat next week.
Finally, we were treated to another evolution of the super-weird Stuxnet-Windows LNK vulnerability story. Not only did we find out that there is another binary associated with Stuxnet that was digitally signed by a certificate belonging to JMicron Semiconductor, but we also discovered that there are now new pieces of malware, separate from Stuxnet, that are exploiting the Windows shell LNK vulnerability. This was probably inevitable, but it raises legitimate concerns about the possible emergence of a worm exploiting the flaw, as one of the new pieces of malware has the ability to create new malicious LNK files and spread on its own. Oh, and there’s also the fact that it seems pretty clear that the creators of Stuxnet had advance knowledge of a vulnerability in a Siemens SCADA software package called WinCC, which the malware exploits whenever it finds itself on a vulnerable system. Not a comforting thought.
Others receiving votes