Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

Vendor gets cold feet about revealing software flaw

We could tell you but would have to kill you.

By Jeremy Kirk, IDG News Service | Published: 09:11, 17 April 2009

Researchers have pulled out of a presentation which was expected to reveal details of a major security vulnerability, citing concerns that hackers could exploit the flaw.

The last minute cancellation of a press conference at the Black Hat security event was because the flaw was so sensitive that even revealing the vendor affected could potentially cause hackers to start poking around with applications or operating systems to try to figure it out, said Jeff Moss, Black Hat's CEO.

The unnamed vendor has told the researchers that it could have a patch ready in a month or so, but it could take as long as four months, Moss said. There are fears that the problem could be as serious as the one in DNS revealed by Dan Kaminsky last year.

"Apparently, it's harder to patch and harder to fix so it's taking longer than they thought," Moss said.

Security researchers who present at Black Hat are encouraged to practice what's called "responsible disclosure," where the vendor is notified and allowed to create a patch before the vulnerability is publicly revealed. Moss said it's hopeful that the vendor and the researchers would be able to release a patch and the details at the same time.

It wouldn't be the first time Black Hat has been on the bleeding edge of vulnerability disclosure. This time at least there haven't been any legal threats from the vendor, Moss said.

In 2005, Michael Lynn, who worked for Internet Security Systems (ISS) at the time, had prepared a talk about how Cisco Systems' routers could be remotely compromised. Cisco and ISS ganged up to stop him.

Lynn changed his presentation and instead spoke about VoIP. After hearing boos from the crowd, he switched to his original topic. He didn't release attack code but instead provided proof it could be done.

Lynn had to quit his ISS job, and was sued by ISS and Cisco, but the lawsuit was eventually dropped after he agreed not to discuss its contents.

If the Black Hat organisers aren't bluffing and the vulnerability is as serious as Kaminsky's, it could mean that lots of companies are doing some secret patching.

Once exploit code is released for a vulnerability, it's game on for hackers, who will immediately try to find vulnerable computers or servers.

Kaminsky's research prompted an unprecedented, industry-wide effort to patch DNS servers, which are used by thousands of companies, ISPs and other entities running networks. Much of that work was done in secret so as to not tip off the bad guys.

The flaw showed that DNS servers were susceptible to an attack that could redirect Web surfers to fraudulent websites even if the URL was typed in correctly, among other scenarios.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.