[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Vulnerability Disclosure
Matthew Steer <matt.steer@xxxxxxxxxxxxxx> wrote:
> I have been playing around with a program and have discovered a bug
> that I have successfully leveraged into code execution. I reported
> my findings to the vendor, not yet receiving a reply; this is the
> first time I have done this.
> The bug is in an installer and malicious input is crafted then
> pasted into an input field which is copied into a buffer of
> insufficient size. The conditions of the exploit seem a little
> extreme to me, but it still results in code execution.
> The fact that it is in an installer, hence most likely requiring
> Admin rights, and is a local exploit the risk of this vulnerability
> being exploited seems low (too me, not being a risk assessor!) .
> This brings me to my question;
> Should all vulnerabilities be disclosed to a vendor (at least!)
> however high or low risk?
> I?ve never been a believer in ?Security through Obscurity?, but do
> the people think there comes a point when it may just be a waste of
> To be honest; I hope not!
Can we check my understanding of your situation?
We have a Windows program installer - or is it Unix?
And the person running the install needs elevated privileges to run the
And, using the elevated privileges needed for the install, that user can
trick the installer into doing something other than the intended install?
Wouldn't the person be able to do those things anyway? So, is there an
actual risk of exploitation by someone unauthorized? If the person
installing has the privileges to abuse their system and then subverts an
installer into abusing their system, how much of a problem is it really?
...change of tack...
Speaking from the receiving end of such reports, yes, all (real)
vulnerabilities should be reported.
And all reported vulnerabilities should be acknowledged - at least that it
was received, and preferably that it was evaluated, understood, and proven
correct or incorrect and what, if anything, will be done about it. Which
may take more than one response email, over a period of days to months.
The initial response should be timely - within a week, say. After that,
it depends. And it may be that it is not really worth fixing this
particular problem - though it isn't a decision to be made lightly.
One major problem is knowing whether the report got through to someone
able to asses and understand it.
And another is knowing how many other reports were received the same day
(were the people receiving the reports completely overloaded).
And another is knowing whether the version you found the problem in is
current, and indeed whether the problem reproduces in the current version.
However, and again speaking from experience, many of the problems found in
old versions also manifest themselves in new versions.
Jonathan Leffler (jleffler@xxxxxxxxxx)
STSM, Informix Database Engineering, IBM Information Management Division
4100 Bohannon Drive, Menlo Park, CA 94025-1013
Tel: +1 650-926-6921 Tie-Line: 630-6921
"I don't suffer from insanity; I enjoy every minute of it!"