This is from their blog entry:
Shortly after the release of MS06-042, independent security researchers responsibly disclosed to us the fact that they had discovered the crash was exploitable. We worked with them responsibly during the creation of the update. As soon as we knew we would have to halt the re-release, we informed the third party researchers. Due to the fact we did not want to communicate the existence of the exploitability of the crash prior to an update being available, we also began the process of holding our communication on the issue so that attackers would not have clear public information available that the current problem was exploitable.
This was another difficult decision on our part. There was no intent here to misrepresent the issue as not being exploitable. Often times however, we find ourselves in the position of having to strike a balance between providing information equally to users who would use the information to protect themselves, and attackers who, history has proven, will immediately use the information for criminal purposes. In this case, we felt that, due to the fact the platform and specific vector of the crash was known, publicly disclosing that it was an exploitable security vulnerability prior to our being able to provide customers with an update to address it would have breached our position on responsible disclosure and would have put customers at increased risk.
Unfortunately, one of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform. ....SNIP.... Since the exploitability of this is public now however, there is certainly increased risk of attack. We have issued a security advisory detailing workarounds and mitigations for the vulnerability while we have our teams working at full speed to resolve the quality issue and release the update as soon as it meets our quality bar.
It seems that responsible researchers and security analysts have a huge burden of this one-sided responsibility, due to which they are not supposed to tell the general public of the extent of damage that a faulty/buggy software can do and should rather let the company decide when and how the information about its faults will be released!
The company which produces the software has no responsibility however towards the numerous users of their software to tell them about how critical the bug really is.
While "Responsible Disclosure" is expected, "Responsible Behaviour" is not guaranteed.
At the very least, the users of a particular software have to be informed at all times of the bugs which are serious and can be dangerous to the user of the software product. This is what the customer would expect in return for the trust that the customer puts in the company's advisories. But Microsoft did not do this and instead now are faced with this situation wherein they are forced to reveal that they knew of a serious bug and were hiding its presence from their customers who trust them.
eEye in their advisory stated:
This information is already known in various research circles and also with exploit writers. So it is important that IT administrators understand the true threat of this problem that this is not simply a crashing bug as Microsoft has been incorrectly misrepresenting it but in fact that it is an exploitable security bug. Researchers and exploit developers know this, therefore it is extremely important that IT administrators are told what really is going on.
eEye did a commendable job in disclosing this vulnerability to the public.
Microsoft seems to think that the public should and will continue to use a bug ridden product and thus to save the user from harm, it is advisable to not reveal the bugs. They forget, that users will move to other products in case they loose trust. Microsoft itself should responsibly accept the problems in IE and suggest that users use a more secure web browser. That would be real responsibility !
UPDATE: Here is a link to what vendors define as Responsible Disclosure.
--------------
Tag: Technical
, ,
Posts
No comments:
Post a Comment