The term “responsible disclosure” of vulnerabilities is a misnomer, a phrase created by software vendors who often take so long to release a patch that they are the ones who act irresponsibly, a noted security researcher said this week at the RSA Conference.
HD Moore, CSO of vulnerability management firm Rapid 7 and chief architect of Metasploit, said vendors need to start better communicating with researchers who privately report full details of vulnerabilities to vendors. They can start by turning around fixes in a shorter order, Moore said during the six-person panel discussion, which included representatives from Microsoft, Adobe, PayPal and Continental Airlines.
“What the researcher doesn’t see is we’ve got queued up vulnerabilities that we’re trying to get to,” said Katie Moussouris, senior security strategist at Microsoft. “If the core motivation between the researcher and the vendor is to protect the customer, I think we have a lot more in common as long as communication is [there].”
She explained that Microsoft prioritizes its efforts based on what the impact to the customer is. So, in other words, if the software giant catches wind of a vulnerability that wasn’t responsibly reported, it will rush to push out a fix — often at the expense of other issues that may have been properly reported by a researcher and contains a higher exploit likelihood.
Similar delays can occur at Adobe, said Brad Arkin, the company’s director of product security and privacy. Adobe enlists a “triage process” on learning of a vulnerability, which includes documenting and validating the problem and pushing out a fix within 90 days – or one patching cycle. Patches can be issued sooner for flaws that are publicly disclosed, but that is done at the expense of other unresolved bugs.
One of the end-users on the panel, Tim Stanley, CISO of Continental Airlines, objected to any delays that may result in the patching process. He said he has no sympathy for the vendors.
“I don’t really give a flying hoot because I’m the consumer paying for the product that is supposed to be protected in the first place,” Stanley said. “If you find the burden too heavy, get out of the business.”
He also insisted that customers should learn about vulnerabilities when the software-maker finds out about them.
“Microsoft knows, the researcher might now, but I’m the guy who paid for the product,” he said. “When am I going to know?”
Moussouris countered that the quality assurance program necessitates that vendors allot a certain amount of time to testing patches to ensure they won’t break systems on which they’re installed.
“Do you care about the stability of your systems?” she asked Stanley.
“Should’ve written better software,” he responded, resulting in some oohs and ahhs from the crowd.
Michael Barrett, CISO of PayPal, offered the panel’s most neutral voice. He disagreed with the notion that the responsible disclosure discussion is an “us versus them” dispute, meaning between the researchers and software community.
In addition, he reminded the panel that while companies, such as Microsoft and Adobe, are responsible for protecting software, corporations often have just as many problems safeguarding their own proprietary web applications.
“The bigger question is what can be done to protect the entire ecosystem to make it safer,” Barrett said.
Moore lobbed one more criticism at the vendors. He said companies such as Microsoft often fix vulnerable code in newer operating systems, but leave previous Windows versions open to attack.
This is evident when Microsoft publicly patches vulnerabilities that only affect some versions of Windows, usually older iterations such as XP, which most companies still are running.
“The vendor has identified the problem, fixed it and your systems aren’t patched,” Moore said. “They assumed because no one else found it, it wasn’t a bug.”
“That’s a deceptive trade practice, as far as I’m concerned,” Stanley said.
None of the vendor representatives directly responded to Moore’s claims.
Steve Dispensa, CTO and co-founder of PhoneFactor, maker of strong authentication solutions, also participated on the panel.