Who do you trust?
Posted by Dan Holden on May 30, 2007 at 8:32 PM EDT.
So by now I'm sure everyone is familiar with the Apple QuickTime vulnerability discovered by Dino Dai Zovi at CanSecWest over a month ago now. There has been tons of press about it because it was not only a good bug but it was also a bug discovered at a contest and then bought by a 3rd party for their own disclosure purposes. There was a lot of message board chatter as to how bad the bug was, whether it had been captured across the network and possibly released in the wild prior to disclosure, and ultimately, whether this type of thing is a good idea at all. Well in your humble narrator's opinion this is what we call 'rented security'. A customer purchasing their security guidance and protection technology from a company that blindly leases security research from third parties rather than staffing a comprehensive holistic security research staff is akin to buying a fake Rolex. In the end the watch may appear real, you may fool some casual admirers, but it won't keep accurate time, hold-up, or fool an expert. In other words, outsourcing what is supposed to be your core competency as a security organization isn't a smart business practice. Even Gartner has spoken out about the dangers of this type of activity calling it a "risky endeavor". The real problem is that there is no guarantee whether the information being purchased hasn't already been shared or really how good or thorough it is. Now my hat goes off to Dino because it really was a good find and under tight circumstances. However, what happens when you are on a time crunch to bring the cash home before anyone else? Well it's possible you could miss something which is exactly what happened. While X-Force was in the process of finding and fully exploring the QuickTime bug we found another and immediately notified Apple to responsibly disclose the vulnerability. The patch for this was released yesterday at 4PM EST.
Now is it important that we had protection out 3 weeks prior? Well that sure was nice for our customer base but what is truly important is that we understood the original bug and being a true research group that does this type of thing everyday ended up uncovering a related vulnerability in the process. This is old hat folks, nothing new here, just more players. It's like Uncle Ben told Peter Parker, with power comes responsibility. It's having the power to understand these things to their full extent and then being responsible with that knowledge that helps the rest of the industry. As some of Gunter's posts have mentioned, the commercial space isn't where the most vulnerabilities are found so what is the most important part of vulnerability discovery? Understanding the nuances and severity of the issue and then responsibly working with the vendor to get it rectified. Now this is certainly a complicated subject and some of you may disagree with me. However, until there is a Consumer Reports for the security space as a whole who are you going to trust? Anonymous researcher, or the X-Force guys that wrote the books that anonymous researcher is reading to get his paycheck from who knows what sources?