Gartner analysis slams TippingPoint, CanSecWest hacking contest

Share this article:

Gartner took a jab at TippingPoint and CanSecWest officials this week, criticizing them for a recent hacking contest that revealed a then-unpatched flaw in QuickTime.

At last month’s conference, TippingPoint paid $10,000 for a vulnerability discovered by researcher Dino Dai Zovi after he and a partner won a "hack-a-Mac" contest.

But Gartner analysts Rich Mogull and Greg Young concluded in a research note titled, "QuickTime vulnerability exposed by contest poses wide risk," that vendors and security services firms should "consider ending public vulnerability marketing events, which may lead to unanticipated consequences that endanger IT users."

Hacking challenges are well intended, the researchers said, but they can lead to opportunities for criminals.

"Public vulnerability research and ‘hacking contests’ are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements," the researchers said.

"Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities – which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers," they added.

The QuickTime vulnerability was not publicly exploited before being patched late Tuesday by Apple, according to researchers.

User interaction is needed to exploit the flaw, which is vulnerable on Windows and Mac OS X operating systems.

Terri Forslof, manager of security response at TippingPoint, told today that her company didn’t set up or sponsor the challenge, but was approached by CanSecWest organizers about the cash prize.

The vulnerability's purchase ensured that its details stayed between the researchers, the TippingPoint's ZeroDay Initiative and the vendor – in this case Apple, which patched the flaw in less than two weeks, according to Forslof. But bloggers and other media outlets who attended the conference knew about the discovery, which prompted immediate and widespread discussion and speculation across the web.

Kris Lamb, director of X-Force labs, the research wing of IBM Internet Security Systems, told today that firms cannot guarantee exclusive ownership of a flaw bought from a researcher.

"The information is being talked about in public, as well as details of the vulnerability, and it doesn’t take very long for a skilled researcher to piece the details together and know what new vulnerability is out there that Apple hasn’t remediated yet," he said. "Bug bounties don’t offer more protection to the customers, and I would argue that they put the customer more at risk while they realize it or not."

Dragos Ruiu, principal organizer of CanSecWest, told today that the contest made Mac users safer because the QuickTime flaw is now patched, whereas it could still be unknown if it hadn’t been exposed.

"I completely disagree and that’s my opinion. I think those flaws would’ve stayed hidden and would still be a vulnerability. The quicker we get those disclosed and closed, the safer the software is," he said. "The people who come to the conferences are all IT security professionals, so there might not be a better place."

Click here to email Online Editor Frank Washkuch Jr.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.