Representing the average customer, Tim Stanley, CISO of Continental Airlines had the opportunity to ask vendors and researchers direct questions regarding patches and vulnerabilities at the RSA 2010 Conference. “Microsoft knows about a bug, researchers know about a bug, but I’m the guy who paid for the software. When am I gonna know? … And don’t tell me about the pains you have in determining what has to be fixed, I don’t care. You’re in the software business, you’re writing code, that’s what you’re supposed to do. If you can’t handle it, get out of the business."
A panel discussion brought him in, and put him on the dais with Microsoft, Adobe and HD Moore. He wasted little time making his displeasure known. I am pleased to hear that he tossed cold water on some opening remarks regarding the exposure timeframe from the discovery of a bug to when a patch is released, as well as some points on the importance of constant communication between vendors and researchers.
"I love the love-fest between the vendors and researchers, but quite honestly, I don’t give a hoot. I’m the consumer, the guy who paid for the product that I expect to be correct in the first place. I’m perturbed with the relationships going on. The issue becomes a matter where the people paying for the product need to be better represented in this process," Stanley said.
Discussion hit on all the usual topics: vendor triage, prioritization of patching, how zero-day vulnerabilities impact patch cycles, regression testing, and the quality and stability of patches.
HD Moore, famous for script kiddie tool MetaSploit for example, called responsible disclosure of vulnerabilities a vendor created delay tactic. He opined that as a researcher reporting bugs, he’s at the vendor’s mercy. Because the vendor controls the patch release cycle, the vendor determines when his research work becomes public. Too bad, so sad. Publicity is everything, it seems. "If you have evidence that something is being exploited in the wild and a vendor has not patched it, at that point is the vendor irresponsible or you for not reporting?" I only wish that the question was turned back to HD, asking if he publishes code publicly before or even shortly after a patch is available, or creates a plug-and-play module that simplifies exploitation, who is responsible.
I have nothing personal against him, but HD Moore needs to smarten up. I hope nobody is buying what this guy is pedaling. He is NOT the savior of all software and the elected dispenser of patch-justice. Yes, the vendors don’t move fast enough, yes we can make them move faster by releasing dubious “admin” or “pen-test” labeled tools like MetaSploit and its modules that allow any clown with a PC to exploit serious threats. Yes, HD stands to make a boot-load of money for himself and the company that bought his “product” (or as I’m sure he’d prefer, funds his research). In my most humble of opinions, this is aiding and abetting an attacker to commit whatever crime they commit, and the authors of such tools and the companies that they work for/with/though should be accountable, regardless of whatever disclaimers are posted in their EULA.
I might not have all of the answers regarding what should be done to get vendors patching their mistakes faster, but lighting a house on fire to get the people to come out so you can save them from smoke inhalation is probably not the best route to take. If “responsible disclosure” is a process that isn’t working, then fix the parts that aren’t working, or provide a better one. One that meets the needs of those that a researcher and the vendors are supposed to be serving. Why not advise the vendor, give them a REASONABLE amount of time to patch, if they don’t produce, release NEWS that you have discovered a serious vulnerability (if you don’t cry wolf, you will gain credibility) and have the vendor (or a trusted impartial 3rd party that is not seeking profit) confirm it. If the vendor still doesn’t take action, start legal proceedings. A couple of class action suits and they will probably get interested in patching, or better yet, cleaner coding practices…
There are too many self-serving and egotistical researchers and vendors already, running rough-shod, cowboy style across the windswept plain that is the Internet. Time to clean up this one-horse town.
C-Net RSA 2010 Article List