reporter on deadline seeks comment about reported security bug
dave.list at pixelhammer.com
Tue Sep 15 19:29:18 UTC 2009
> On Tue, 15 Sep 2009 20:51:40 +0200
> Mel Flynn <mel.flynn+fbsd.questions at mailing.thruhere.net> wrote:
>> Please inform yourself properly before assuming you're right. Mozilla
>> does not by default publish vulnerabilities before a fix is known. In
>> some cases publishing has been delayed by months. The exception is
>> when exploits are already in the wild and a work around is available,
>> while a real fix will take more work.
>> This is also why vulnerabilities are typically not disclosed till a
>> fix is known, because it does not protect the typical user, but puts
>> him in harms way, which is exactly what you don't want.
>> In theory, if I know the details of this particular exploit, I can
>> patch my 6.4 machines myself, but more realistically, if developers
>> take all this time to come up with a solution that doesn't break
>> functionality the chances that I and more casual users can do this
>> are slim. Meanwhile, the exploit will be coded into the usual
>> rootkits and internet scanners and casualties will be made. That
>> doesn't help anyone.
> Assume that I have discovered a vulnerability in a widely used, or even
> marginal for arguments sake, program. I now start to exploit that
> vulnerability. Now assume that you are responsible for maintaining,
> that program. Use any job description that suits you for this purpose.
> Are you claiming that since it may take several months to fix, it is
> better to let users be exploited rather than inform them that there is
> an exploitable problem in said software? I fine that extremely
> As you can no doubt tell, I am not a believer in the "Ignorance is
> bliss" theory.
I believe the point that others are trying to make is this. Your example
requires that the exploit is known to the blackhats and in use
currently. Their example assumes that exploit is only known to those who
This particular exploit is not believed to be known to the black hats,
and not known to be in use currently.
Is it better for an exploit to remain a secret and not is use,
protecting those that may not get their systems patched in time (as the
blackhats *will* most certainly put the exploit to use as soon as they
are told about it). Or, let the exploit remain a secret until it is
either fixed and a patch made available or discovered in use by blackhats.
I think you are both right. If the exploit is not being used, keep it a
secret and let the developers design a permanent fix. If the exploit is
discovered publicly before the fix is out, warn everyone loudly and
provide a workaround.
I believe all software I am aware of handles exploits with that method.
"Posterity, you will know how much it cost the present generation to
preserve your freedom. I hope you will make good use of it. If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Quincy Adams
More information about the freebsd-questions