[Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability
bkfsec at sdf.lonestar.org
Mon May 1 19:29:35 BST 2006
Tim Bilbo wrote:
>Setting aside analogies, the questions remain: Does full disclosure make
>the IT community as whole less secure than it would otherwise would be?
>Is it more dangerous to have a handfull of sophisticated blackhats
>lurking about with an unknown exploit vs. publishing it for every
>wannabe hacker to use? I am confident that the answer is that fully
>disclosing discovered vulnerabilites without first giving the vendor a
>reasonable chance to address them is more harmful.
I'm confident in saying that full disclosure does not make the IT
community as a whole less secure.
My experience, both seeing the white hat and the black hat side of the
community fence at different points in my life, is that the black hats
will always have access to a certain substrata of information that those
of us living in the world of light (i.e. not in a basement) will not
have access to for some time.
The problem with your question is that you're ultimately setting up an
example that doesn't fit reality. The world you describe above is one
where there are two tiers: Those with access to underground data and
those without. The script kiddies on the outside, in the world
described above, don't have access unless it's disclosed in public. The
trouble is that the simplistic model doesn't represent reality. There
are many strata in the black hat world and information is used until
useless and then dumped into the lower strata as cannon fodder.
What you do usually see with full disclosure (likewise with patching),
which is ironically dragged out as an argument against full disclosure,
is that when a flaw is disclosed, you do see script kiddies coming out
of the woodwork making loud noises with automated bots mass-owning
systems. Is this the fault of full disclosure? Nope. It's
inevitable. There are no power structures in place to keep script
kiddies from using what they find and making it their own. Of course,
there's the world of law enforcement, which is effective at apprehending
them after they do the deed, but as a deterrent you have to consider the
type of person being dealt with: A person who feels marginalized by
society and power structures in real life, often lashing out with power
they have gained in the online world through the sheer lack of security
on the Internet in general. The average script kiddie already has an
inflated ego to counter the lack of self esteem they feel. Law
enforcement as a deterrent to this type of person is not as effective as
other people because the script kiddie already believes that he can't be
It's largely because of this multi-layer strata that we're talking about
that makes your question somewhat moot. Are we more or less secure with
or without full disclosure? Well, the question's pretty irrelevant now
isn't it? Disclosure will always happen.. .the question is who will be
doing the disclosure.
Is it worse to have a skilled, quiet hacker who knows what he's doing on
your network using 0-days, or an army of clumsy script kiddies writing
worms that don't work half the time clogging up networks for one or two
days a year -- not even really affecting most of the Internet or people
who are security-wise in the first place?
Personally, I think the more quiet, careful hacker is more dangerous.
And in the end, it will always get out anyway... so you might as well
bring it full circle sooner. Vendor disclosure before public disclosure
is nice, but does not notifying the vendor inherently make us less
secure? Well, I'd say not really. We were already insecure to begin
with... and a state of secrecy doesn't make us more secure. It just
means we don't know there's a problem that needs to be fixed.
Full-Disclosure is hosted and sponsored by Secunia.