One little file format, so many problems
An interesting and quite dangerous situation is playing itself out over the firewall in corporate security. There’s some Adobe 0day being exploited in the wild, and while that alone is enough to make all of the control system admins out there take a quick glance at their firewall rules (Adobe 0day essentially means that an attacker has access to any business network in the world. If you’re targetted someone in your company will open pdf. For the next couple weeks your corp/SCADA firewall is essentially an internet/SCADA firewall. But hopefully most of you think about it like that all the time.) But I think the patch and info disclosure is worthy of a little discussion.
HDM over at metasploits blog has a good writeup on everything if you’re interested in the details, but essentially there won’t be a patch for a bit, so sourcefire vrt has posted not only enough details to create mitigations (or exploits depending on your point of view) but also a homebrew patch to solve this particular problem.
So lets pretend this same thing was happening with some SCADA software, 0day is being actively exploited in the wild and patch isn’t coming for weeks (months). Would you demonize someone like VRT released details about the vulnerability? Would you be angry with the vendor for being slow to react? Whats a timeline for a patch would accept? How about just for a workaround/mitigation? Would the thought of applying a homebrew patch ever cross your mind?
What if the vulnerability was found by a good guy researcher and isn’t, and as far as anyone knows, isn’t being exploited. How does that changes your answers? Should it change it much? Or at all?
In the mean time, until you’ve patched up the Adobe that probably came bundled on a lot of the workstations you may want to make a policy to not allow any new pdfs onto your control systems, whether thats via ether or sneaker net.
Author: Daniel Peck
Posted: February 24th, 2009 under Vulnerability Disclosure.
Comments: 4
Comments
Comment from Ron Southworth
Time: February 24, 2009, 4:28 pm
Daniel,
I don’t know that I would use demonising as a word for expressing the impact and concern for owners and operators of critical infrastructure have when discussing this topic. There is a Cert process that can and should be encouraged to be followed that seeks to have researchers collaborating with a product vendor. Where you have enterprise management systems the sort of 0 day issues are something that needs to be effectively mitigated against in a way that is consistent with the enterprise risk appetite.
All of this does not stop vulnerability data being “up for sale” in the wild and subsequent use or potential use thereof against our enterprises, this sort of activity is what an effective enterprise security program should manage as a matter of good practice.
Comment from Daniel Peck
Time: February 24, 2009, 4:57 pm
I have to disagree with you there Ron. And while I completely see your side, I believe that if something is actively being exploited the best solution is to get as much information out there as possible so mitigations can be put into place.
At that point the bad guys have all the information, and as such all the power. While this might marginally increase the number of bad actors willing to use that for evil, it drastically increases the number of good actors who would then have the knowledge to protect their systems.
Comment from Ron Southworth
Time: February 25, 2009, 10:43 am
Hi Daniel,
It is OK to disagree looking from things from different perspectives is healthy and maybe there is more common thought than what fist glimpse would indicate 
I will shock you perhaps and say that I think that “motivated types” are always going to be one step ahead of you in terms of a kinetic threat capability, to some extent the assumption should always be that they have a 0 day or two up their sleeve.
There are issues around loss of brand that play very heavily on the consequences side of the beam balance for owners and operators.
I think that what gives you and edge is in how good your security program is.
That is all the facets that go into making it effective, From technology thru to the procedures, processes, policies and your people. I think Technology has a minor role to play actually in getting most of the risk off the table from an operational perspective.
Actually getting as much information out there as is possible sounds like a good idea but how this is done whilst minimizing the impact to an operator is where the divide I think really will start to manifest itself. I do get where you are coming from but I think some evolution is going to have to occur before more open methods are going to be acceptable.
Comment from Daniel Peck
Time: February 26, 2009, 4:46 pm
Ron,
No shock to me at all on the motivated types, I really believe most everyone has come to that conclusion.
But to the real discussion in regards to getting information out there. I believe that in the end, its a judgement call between whether you think it does more hard for one more bad guy to have the info or one less good guy to have it. Can the additional baddies do more damage than the “goodie” can prevent? I’d wager that the baddies have a better communication network to get the information out amongst themselves anyways.
In the end. for me, its always better to know than not to know.
Write a comment