Wednesday, November 28, 2007


WabiSabiLabi answered my question on their blog in no uncertain terms.

The exploit for sale on their site is not the same as the RTSP exploit currently being exploited in the wild.

The auction states the flaw affects 7.2 which is an older version but I wouldn't be surprised if with some tweaking you would find similar vulnerable code in 7.3. With that being said I think Apple should buy it. Think about it, they have one QuickTime vuln in the wild and another for sale. It would just take one more to make a perfect storm! Plus its only a thousand euro. Although with the current exchange rate that's like 9,213,456 dollars, but hey, Apple can afford it. To me that would mean that a company is taking the security of its clients more seriously than its image.

Mozilla kinda does it with their bug bounty program and I am pretty impressed with their response time to flaws.


LonerVamp said...

Apple buying that auction would seem like a good step in the direction of buckling towards extortion?

securology said...

You must be out of your mind. If Apple buys this from them, they're setting a terrible precedent.

David Maynor said...

So Mozilla paying for vulns isn't blackmail?

David Maynor said...

Really. It almost seems irresponsible that they know there is a vuln and they don't make every effort to obtain the information and protect their user base.

securology said...

Let's start with the first unethical choice: the "insecurity researcher" who chooses to not privately disclose the vulnerability and wait not only long enough for the vendor to issue a patch, but reasonably long enough for the patch to be applied by even the largest and most non-nimble of enterprises.

Then the other ethical question to ask is: why can these vulnerability pimps exist financially in the first place? If what they're doing is so legitimate, why aren't they working directly for these vendors so they can fix the bugs at the cheapest possible time: BEFORE customers deploy the product. If they're in the private employ of large organizations (for the sake of an impartial third party opinion ... e.g. prior to product selection), their reputational value as a consultancy should come from their client list, not the limelight they receive for publishing the exploit-du-jour. And clearly, WabiSabiLabi is not in that category anyway.

So, you're saying Apple should take on the ethical quandry because WabiSabiLabi has made an unethical choice???

David Maynor said...

I was not aware Apple had a choice in the matter since I am sure nobody asked their permission to sell vulnerabilities in the products. Whether they choose to do something or ignore it they are firmly in the middle of the quandary with people waiting on either side to rip them apart over any decision that make. They buy the vuln people like you will moan that they gave in to blackmail. If they don't Apple's haters can claim they didn't do enough to protect their users. Apple does have a duty to keep their users as safe as possible and since no amount of name-calling or finger waving on your part will make WabiSabiLabi Labs go away. What do you suggest they do?

As far as your posts on me, they are wildly inaccurate and you stink of a dreamy eyed idealist academic. Why don’t security researchers like myself work for the vendors and fix bugs before software ships? Microsoft had Vista undergo the most extensive audit for an operating system ever and reduced things like the attack surface and added safe guards that would making exploiting any vulnerability harder….but yet they still have bugs.

I have often found that people with impeccable morals and ethics do not wear them on their sleeves or spend time on a holier than though crusades to prove themselves right. My feelings about the vulnerability market are simple: my feelings do not matter because it is not going away. Because of this undisputable fact any time you waste pontificating over how unethical the whole thing is doesn’t actually help anyone. In the meantime, the security researchers you hold in such disdain and name call have to come up with actual ways to protect users from these threats since there is no such thing as an ethics firewall or because a 0-day attack will not suddenly be blocked because it is called immoral.

Tell you what; if you feel so strongly about the matter, you can do something about it. Stop whining on blogs and load QuickTime in a disassembler and find the vulnerability then report it to Apple. That would really show those vulnerability pimps, as you call them.

I suspect you will not do that because it is too hard.

securology said...

First of all, Apple has a choice. All vendors do. One option they have is to defame the insecurity researchers' practices or to pursue litigation against them. There are many options to make the information security industry and the people who pay attention to it appreciate them for what they are--guilty of extortion.

Second of all, we could find the vulns the bad guys are aware of through better and more coordinated monitoring. Just because you loaded Quicktime into a disassember and you found yet another integer overflow (or whatever problem computer science solved back in the 1960s), that doesn't mean some adversary found the same one, nor that they ever will. You're perpetuating the notion of penetrate and patch and it's not helping any of us. You're creating the need for yourself and your own work.

Thirdly, large organizations that can afford to have your expertise evaluate commercial off the shelf products also have the political prowess to influence vendors to let them evaluate their products prior to release to general consumption. And in that case, everyone benefits. But if you abuse your position with that large customer and publish your findings to say "look at us-- look what we found-- hire us" ... well, that's exactly why I am even writing anything on your blog at all.

Don't get me wrong-- I think that you are better than many, which is the reason why I would even bother with you: I think you could fix your practices and get your last couple toes out of the wrong side of this debate.

Do something about the problem-- the problem where third party assessments still yield buffer overflows? Getting back to the monitoring ... How about building automated tools to monitor activity for 0-days? That's what we're all afraid of, right? That a 0day will result in chaos? Your approach is to try to find the bugs before the bad guys use them, but there's not even a measurable indication that is remotely possible. I'm suggesting we spend our effort in incident response and push vendors to stop creating OSes where buffer overruns are even possible or fielding applications where input vectors are sanitized, etc.

I am just doing what I can to provide an alternative voice to the one the insecurity researchers are suggesting is the mainstream.

David Maynor said...

You are actually suggesting that a vendor defame or engage in litigious activities against vulnerability brokers. You are obviously not a student of history. Microsoft tried that in the late 90s. Threats, bad PR, the whole nine yards and the only thing it bought them was ill will from a larger group of people and more security problems. That is why they have embraced an attitude of working with independent researchers and the benefits are paying off in spades. In addition to being a bad idea, while in the processing of defaming or suing people their customers are still at risk.

Everybody agrees that investing in preventative technologies is a good thing. Where your opinion differs from decisions makers is that people see value in researchers as well. Most people seem to be a fan of a layered security model approach instead of trying to rely on just one method like “find all the problems before the product ships”. Developers in the past have never had much luck with actually making that fine theory an operational reality.

As far as Ranum's flawed theories, I'll handle him later.