Tuesday, June 5, 2007

Responsibility is Everyone's Job

The software developers constantly talk about responsible disclosure.

Responsible disclosure is basically defined as informing the software developer of a vulnerability so that the vulnerability can be researched and fixed. This is compared to full disclosure where the vulnerability is announced to everyone without giving the software developer a chance to fix the vulnerability. Contrast this with the economic pressure for a software developer to reveal a vulnerability, which is none.

The spectrum consists of Full Disclosure (tell everyone), Responsible Disclosure (tell the developer), and Non-Disclosure (tell no one). Without going into details suffice it to say the responsible disclosure is currently mainstream.

The question is how the developers handle fixing the vulnerability. The general thought is that a responsible company would put resources into fixing these as soon as possible, but these comercial developers are, for the most part are in business to make a profit. I am not including open source developers in this post.

Now for two examples of how Microsoft has handeled responsible disclosures.

The ANI exploit, which I wrote about in Vista Smista& ANI Exploit. The vulnerability was disclosed in December of 2006 and not fixed until exploits where released in March. An quote from my previous blog is below and more details are in my other post mentioned above:
In short this was disclosed to Microsoft in December of 2006. Apparently the first report of this vulnerability was used as an exploit was March 28th. Due to the wide spread use of the exploit several third parties released interim patches... Microsoft
reacted, as it tends to do when third party patches are released, and the news
media starts to publish... Microsoft released the official patch out-of-cycle on
Tuesday the 3rd of April (instead of today the 10th of April).

Just recently, the end of May 2007, a vulnerability in Microsoft Web Server IIS 5.X where authentication can be bypassed, was announced. However this vulnerability was discovered December 15th 2005 (no this is not a typo) and was subsiquently responsibly disclosed to Microsoft. Apparently Microsoft finally decide to publically disclose the vulnerability, but without a fix. Unless you consider paying for an upgrade to Windows Server 2003 and IIS 6.0 a patch.

Keeping in mind thath these are just two examples where:
  1. Microsoft failed to fix a known vulnerability for several months until an exploit was released.
  2. Kept a vulnerability secret for over a year and then releases the information and requires a paid upgrade to the latest code for a fix.

I think Microsoft should re-evaluate their responsibilities as a good citizen or netizen.