Microsoft to banish 'responsible' from disclosure debate

JMH

Banned
Local time
2:12 PM
Messages
6,448
Microsoft has submitted a proposal aimed at quelling one of the oldest debates in security circles: retiring the use of the term “responsible disclosure”.

The software maker wants to replace the term with the less pejorative phrase “coordinated vulnerability disclosure.” The hope is that software makers and researchers can put aside decade-old differences about the best way to handle critical defects so that end users are best protected.

“We don't want an emotionally laden term clouding the debate, and that's definitely gotten in the way of a lot of good discussions between like-minded people in security,” said Katie Moussouris, senior security strategist in the Microsoft Security Response Center. “We're really trying to reach out across the disclosure dividing lines and find the common ground where we all are. We all want to protect customers and users.”

The modest proposal comes a month after the public disclosure of an unpatched vulnerability took the debate to new highs. On June 9, Researcher Tavis Ormandy dropped detailed information about a critical bug in older versions of Windows that allowed attackers to take full control of a PC by luring its user to a booby-trapped website. Ormandy said he had notified Microsoft of the vulnerability just five days earlier, on a Saturday, and decided to take his advisory public when Microsoft didn't commit to fixing the flaw within two months.

Moussouris told The Register the company was unable to give Ormandy a timeline until it had finished investigating the bug, which resides in the Help Center of Windows XP and Server 2003 and was fixed earlier this month. Ormandy didn't respond to a request to comment by time of publication. Within days of the disclosure, reports began circulating that the previously undocumented flaw was being exploited by attackers.

Some people in security circles, including those at Microsoft, responded by noting that Ormandy worked for Google, and criticized him for releasing the details before Microsoft had a chance to fix the vulnerability, as the tenets of responsible disclosure hold.

On Tuesday, this Google blog post, which was co-written by Ormandy, criticized the term.

“The important implication of referring to this process as 'responsible' is that researchers who do not comply are seen as behaving improperly,” the post stated. “However, the inverse situation is often true: it can be irresponsible to permit a flaw to remain live for such an extended period of time.”

In Ormandy's post on the Full-disclosure forum — which he said represented his private opinion — he went further.
Source -
Microsoft to banish 'responsible' from disclosure debate • The Register
 

My Computer My Computer

At a glance

Win 7 Ultimate 64-bit. SP1.Intel i7 -720QM.[1.6GHz Turbo Boost 2.8GHz. 6...8 DDR 3 RAM. 1066MHZATI 1024 MB. DDR3. Radeon HD5650
Computer Manufacturer/Model Number
LAPTOP. HP Pavilion dv7-4010TX .
OS
Win 7 Ultimate 64-bit. SP1.
CPU
Intel i7 -720QM.[1.6GHz Turbo Boost 2.8GHz. 6MB Cache.]
Memory
8 DDR 3 RAM. 1066MHZ
Graphics Card(s)
ATI 1024 MB. DDR3. Radeon HD5650
Monitor(s) Displays
17.3" High Definition Brightview LCD. LED Backlit.
Screen Resolution
1600 x 900.
Hard Drives
640GB
Case
Laptop / notebook.
Mouse
Logitech Anywhere mouse. MX.
Internet Speed
ADSL [ but too slow ]
The issue of "disclosure" is a pet peeve of mine. In my opinion, it is irresponsible for any researcher to publicly disclose the details of a vulnerability, particularly one that is not in the wild. Regardless of whether the process is called "Responsible Disclosure" or "Coordinated Vulnerability Disclosure" or whether "in the wild" or not, those who expect immediate response when a vulnerability is reported need to keep some things in mind.

The most important aspect of making a software change is to make one change at a time and "test, test, and test again" after each change. Even after stringent tests are conducted, to ensure the change does not "break" something else, it is necessary to translate the changes to the many supported languages -- and test yet again. I would much rather wait the extra time for the testing to be properly conducted than get buggy updates!

The quote below the MMPC blog, Protection for New Malware Families Using .LNK Vulnerability, illustrates precisely why it is my opinion that it is irresponsible by researchers to release proof-of-concept details to the public:

What we’re seeing with the use of this new vulnerability by two other malware families is typical when an exploitable vulnerability is made public: initially, details emerge about a proof-of-concept malware or a targeted attack, then someone releases a public exploit, then the exploit gets incorporated into malware crime kits, and then we begin seeing different families using it.

Additional References:

 

My Computer My Computer

At a glance

Windows 7 & Windows Vista Ultimate
OS
Windows 7 & Windows Vista Ultimate
As a user, I'd like to see less finger-pointing or more problem-solving.
 

My Computer My Computer

At a glance

MS Windows 7 Ultimate SP1 64-bitAMD A10-4600M6.00 GB Dual-Channel DDR3 @ 798MHz (11-11-12-28)AMD Radeon HD 7660G
Computer Manufacturer/Model Number
Toshiba Satellite S875D-S7239 laptop
OS
MS Windows 7 Ultimate SP1 64-bit
CPU
AMD A10-4600M
Motherboard
AMD Pumori (Socket FT1)
Memory
6.00 GB Dual-Channel DDR3 @ 798MHz (11-11-12-28)
Graphics Card(s)
AMD Radeon HD 7660G
Sound Card
High Definition Audio Device
Monitor(s) Displays
Generic PnP Monitor (1600x900@60Hz)
Screen Resolution
1600x900@60Hz
Hard Drives
SSD 119GB Corsair CSSD-V128GB2 ATA Device
Keyboard
Standard PS/2 Keyboard
Mouse
HP Wireless Optical Mobile Mouse Model FHA-3410
Internet Speed
What the local pub, local coffee shop offers.
Other Info
Optical Drive:MATSHITA BD-CMB UJ160B ATA Device


Also have an Asus ha1002xp netbook with Win 7 Ultimate installed.
Back
Top