Security's Everyman

Security's Everyman

Sunday, August 03, 2008

One more post on DNS

OK, here is my reply to LonerVamps comments on HD Moore releasing Metasploit exploits for the DNS vulnerability that Dan Kaminsky discovered.
Loner broke his comments up into two different comments. I've posted both of them below and my response will be in red.

First Comment
With or without Druid's exploit, our users were at risk. And rather than sit in the dark and not want exploit code, I certainly don't mind having it around to learn from it. I'd even contend that we're better off researching exploit code; write more, learn more, write better ones, learn yet more, and so on. I agree that having exploit code can be beneficial as we learn more about the vulnerabilities and how to protect ourselves from them.

So, you would probably come back and say that HD Moore shouldn't have released it "at this time." But, what basis is there for when a time is appropriate to release exploit code? One year after the disclosure/patches? One month? After a committee of CISSPs gets together an votes on it? After 75% of servers are patched? Ever? I think that the answer to this question depends on what the vulnerability is and how easy the exploit is to deploy. In this case the vulnerability was big and had the potential to affect a large portion of the Internet. Potentially sending people to sites that could do all sorts of things from something as harmless to the user as auto clicking on ads to as harmful as dropping Trojans and other malware on systems as well as stealing account info for financial sites. If this had been just a browser vuln or an ActiveX issue then I wouldn't have been as concerned about HD releasing his exploit this early. Not because the end result is less but because even those who did do their due diligence were vulnerable to potential big problems.

And how does exploit code differ from vulnerability details? Should we not disclose details that could lead to exploit code for 1 month, 1 year, or ever? As for when to release vuln details that is a whole different question that has been debated for a long, long time. I'm too tired to deal with that now. :)

This set of questions simply cannot be answered, and never will. And since they can't be answered, I'd have to err on the side of reality: Exploit code is exploit code, and when it is released it is released. And then move on. :)

2nd Comment:
said my comment was too long :(

Andy, I fear you are arguing the side that is actually indefensible. :) Acting "responsibly" is far too relative to ever apply to such a set of people as security-aware geeks. Even though I agree with you in reality I disagree that we shouldn't expect "security-aware geeks" to act responsibly. Unfortunately we, as security professionals, often do not act responsibility I feel that we have a responsibility to our users and companies to be responsible. That doesn't mean that we blindly apply a patch just because the vuln is a big on or even because exploit code has been released. It also means that we don't release exploit code when other parties (researcher, vendors, most users) are acting responsibility and doing their job. It would be different if the vendors were ignoring this but they weren't. They acted responsibly and HD should have let things be.

Here's another way to tackle it. Should we manage our security posture based on whether exploit code is known or not? Yes, a vulnerability/patch does have a different value based on whether code is known or not, but when no known exploit code is in the wild, is it OK to put off the patching of your servers?

It might be argued that distributing details and exploit code will actually stimulate a more secure digital world. If your time frame for patching DNS was a month after the patches because the vuln wasn't known or the exploit created, but is now immediately because an exploit has been released...is that not a desirable state? Obviously the presence of code prompts action, and as such, this might be a benefit to us all... In today's world of the bad guys being ahead of us on almost every front and since as soon as a patch is released it is reverse engineered and an exploit is in the wild within hours then any security guy worth his salt knows this. So if he chooses to put off patching just because there is no known exploit then he is just asking for trouble. We all measure risk and then make a decision based on our level of comfort with each issue. Personally when you have an issue of this magnitude I think you are foolish to wait for known exploits.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.