Presentation on theme: "Miles McQueen, Jason Wright, Lawrence Wellman Idaho National Laboratory and University of Idaho September, 2011 Banff Metrisec Are Vulnerability Disclosure."— Presentation transcript:
Miles McQueen, Jason Wright, Lawrence Wellman Idaho National Laboratory and University of Idaho September, 2011 Banff Metrisec Are Vulnerability Disclosure Deadlines Justified? Critical Infrastructure and Control Systems Security
2 How long should vendors be given? Security firm positions… “…Rapid7, where HD Moore is Chief Security Officer and Chief Architect of Metasploit, recently revamped their disclosure policy. In short, they will hold a vulnerability for 15 days after contacting the vendor, before sending it to CERT, who will give the vendor another 45 days to address the issue….” ---The Tech Herald, August 2010 “…the Zero Day Initiative (ZDI), part of Hewlett-Packard / TippingPoint, has announced that, with immediate effect, it will limit the period for developing security updates to six months. However, the ZDI says that it will grant extensions to this deadline in special cases….” --- The H Security, August 2010 “Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues. “ --Chris Evans etal, Google security Team, July 2010 “All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, ” --CERT/CC 2008 "The best way is to quietly disclose the problem to the vendor and then allow the vendor 30 days to fix the problem. Then go public,“ --Phil Zimmermann 2005
3 How long before reported vulnerabilities have patches made available? (1) Pwn2Own 2007-20010 Daniel Veditz (Security Group Moderator, Mozilla Corporation) 2009-03-23 14:17:16 PDT jst said to start with Neil. Since this is a high profile bug (Firefox cracked during a public hacking contest) we need to focus on it. If we had a fix I'd like to shoehorn it into 18.104.22.168 even though we're past code freeze (April release) but May's 22.214.171.124 is more realistic. Needs to make 3.5b4. Table Note: +These vulnerability are not listed in ZDI and each of their NVD descriptions indicate different situations e.g. CVE-2010-1118 indicates “Unspecified Vulnerability in …” while CVE-2010-1117 indicates “Heap-based buffer overflow… via unknown vectors…”. Thus it is not at all clear what is happening with these vulnerabilities. Pwn2Own Lifespan (days)ProductYearCVE 8Apple QuickTime2007CVE-2007-2175 10Firefox2010CVE-2010-1121 11*Firefox2009CVE-2009-1044 19Safari2010CVE-2010-1120 20Safari (WebKit)2008CVE-2008-1026 55Safari (WebKit)2009CVE-2009-0945 55Mac OS X2009CVE-2009-0154 61Adobe Flash Player2008CVE-2007-6019 72Safari (WebKit)2010CVE-2010-1119 83IE82009CVE-2009-1532 310+IE82010CVE-2010-1118 310+IE82010CVE-2010-1117 676+Safari2009CVE-2009-1060 676+Safari2009CVE-2009-1042 676+IE82009CVE-2009-1043 45 60 180 Hmmm
4 How long before reported vulnerabilities have patches made available? (3) Summary: Pwn2own---high visibility, few vulnerabilities---quick fix ZDI and iDefense--- some visibility, many vulnerabilities---slower fix Others vulnerabilities---little if any visibility, large number of vulnerabilities---slowest fix?
August 4, 2010 ZDI imposes a 6 month Grace Period (1a) What happened to initial pool of unresolved vulnerabilities? August 4, 2010 ZDI announces 6 month grace period, Effective immediately Time February 4, 2011 ~6 months Initial pool of 172 previously reported vulnerabilities Grace period is the amount of time the security researcher allots to the vendor for providing a fix, after which the researcher may independently announce the vulnerability.
August 4, 2010 ZDI imposes a 6 month Grace Period (1b) What happened to initial pool of unresolved vulnerabilities?
August 4, 2010 ZDI imposes a 6 month Grace Period (2a) Did more vulnerabilities have patches available within 6 months?
August 4, 2010 ZDI imposes a 6 month Grace Period (2b) Did more vulnerabilities have patches available within 6 months?
August 4, 2010 ZDI imposes a 6 month Grace Period (2c) Did more vulnerabilities have patches available in 6 months?
10 Conclusion and future work Conclusion The 6 month imposed grace period did impact vendor patch creation time There may be some end user cost associated with the imposed grace period 45 and 60 day grace periods are problematic Future Work Are statistics stable over time Embracing diversity Implications to control system disclosure process