I often wonder why disclosures of these types of exploits is now, "same day" instead of "Let vendor know you will be reporting this to public in a week."
I wonder if it is out of concern they will be pressured to keep quiet?
There is a good practical reason for not providing advance disclosure at major conference, particularly if you're subject to some kind of NDA, because, more often then not, the security researcher faces the risk of legal action and being shut down.
That pattern, though, "We are going to announce a security hole in major vendor product" followed by, "Shut down by legal action" - happens so frequently that I often wonder whether that's actually part of some larger pattern of entrepreneurial behavior that's opaque to me, it happens so frequently. Maybe it enhances your reputation? Gets you in the news?
I'm all for full disclosure, but, it might be nice to give the vendor a week to have a patch that can roll out at the same time as you let the world know what you found.
When I discovered a vulnerability in Mac OS X that would allow a unprivileged user to keylog every user on the system (CVE-2007-0724), I let Apple know, then kept quiet until they fixed the issue. It took them 11 and a half months to fix. They thanked me in the security update note, and I now how a CVE on my resume. Was silence the most morally correct action? To this day, I am still unsure.
There is an active debate on whether immediate full disclosure is the right or the wrong response. In general until there is public disclosure, vendors do not feel motivated to fix problems. Unless you release details, people cannot verify that they are vulnerable. And if an exploit is already circulating among "the bad guys", then you're not doing that much damage by disclosing.
In this case it looks like someone is publicly disclosing a vulnerability that is already in circulation, and presumably is in use somewhere. A vulnerability which might have the potential for remote code exploits against multiple operating systems, and there is no guarantee that someone hasn't figured that out and is using it right now. For someone squarely on the full disclosure side of the debate, this would be about the best case to fully disclose everything, immediately.
2 years apart, same outcome. Apple has a terrible track record of fixing bugs. As of so far it seems giving them a minute, week, or month has no difference. In the past other vendors have had issues with timely fixing their bugs or trying to squash disclosers, that's why lists like full disclosure exist to this day.
I take it 12/11/12 is a December date, not the November one that it is by convention here... I missed that and assumed a month had been given, as screen grabs show November dates.
I'm not sure why the page states Apple was notified 12/11/12 but this attack has been known (by me and sec folks) a little while now, and I found out about it from an Apple engineer that works in this area. So they've been aware of it a while. It also affects iOS.
Maybe Sam Bowne (the author) didn't formally notify Apple until he had more solid details, but he certainly made the issue publicly-known before this. It wasn't a surprise attack on anyone.
I'm not defending the disclosure procedures but I think the author is under the impression that Apple is not going to care/respond and therefore not worth waiting X days before announcing publicly:
"The new version of the attack is powerful enough that I decided to formally notify Apple. I don't expect them to care much--Microsoft certainly didn't think this was important to them, and Windows is much more vulnerable."
Its also worth noting that while this vuln has a high availability impact it is also requires very specific network access, ie you can't run this from your cable modem and kill a random box on the internet.
If there's no reason to believe that the exploit is already being used in the wild, then I completely agree.
I also think that a good compromise would be to pass on the exploit information to some 3rd party, tasked with releasing full details at a certain date (or simply, the responsible release of the exploit). The focus of pressure would then shift from the researcher to this 3rd party, which would presumably have the means to resist the pressure.
Reminds me of the '90s when WinNuke and Smurf attacks ran wild. Remember one attack that caused our Linux boxes to panic, but I can't remember what it was called. It's not surprising that we're seeing stuff like this in v6. IPv4 has had the bugs hammered out from years of attacks, v6 not so much.
Except, for this attack you have to be link-local (fe80 is local scope, and so are router advertisements). Realistically, for most server installs you're okay. For coffee shops with an open, insecure broadcast domain, not so much
Since this attack is based on Router Advertisements, you need to be on the same LAN to exploit it. It also does not apply if the LAN implements RA Guard (RFC6105).
http://www.youtube.com/watch?v=8Q8EFwKVKdA for some non-trivial but ingenious ways you can get to a LAN from the outside. (Then again if you're as useless as my ISP, leaving the telnet server on the DSL modem with a default password, listening on the WAN, you don't need to do anything fancy to exploit LANs)
In the video, he tested OS X, Windows XP, and Server 2012. OS X beachballed, XP went to 100% CPU, and Server 2012 panicked and rebooted. All three failed; this isn't just an Apple issue. Was Microsoft notified as well?
In my experience (and as this article suggests), Microsoft operating systems have always been really vulnerable to flooding, even over IPv4. Malformed UDP packets to port 53 (DNS) at about 20-30k packets/sec instantly would lock up a windows box and prevent it from successfully rebooting. This was one of the preferred methods for the wargames that were played for bandwidth over the shared housing network for Microsoft Research interns in China a few years back.
ghshephard|13 years ago
I often wonder why disclosures of these types of exploits is now, "same day" instead of "Let vendor know you will be reporting this to public in a week."
I wonder if it is out of concern they will be pressured to keep quiet?
There is a good practical reason for not providing advance disclosure at major conference, particularly if you're subject to some kind of NDA, because, more often then not, the security researcher faces the risk of legal action and being shut down.
That pattern, though, "We are going to announce a security hole in major vendor product" followed by, "Shut down by legal action" - happens so frequently that I often wonder whether that's actually part of some larger pattern of entrepreneurial behavior that's opaque to me, it happens so frequently. Maybe it enhances your reputation? Gets you in the news?
I'm all for full disclosure, but, it might be nice to give the vendor a week to have a patch that can roll out at the same time as you let the world know what you found.
splicer|13 years ago
btilly|13 years ago
In this case it looks like someone is publicly disclosing a vulnerability that is already in circulation, and presumably is in use somewhere. A vulnerability which might have the potential for remote code exploits against multiple operating systems, and there is no guarantee that someone hasn't figured that out and is using it right now. For someone squarely on the full disclosure side of the debate, this would be about the best case to fully disclose everything, immediately.
pixl97|13 years ago
http://www.the4cast.com/apple/apples-flashback-fiasco-what-r...
2 years apart, same outcome. Apple has a terrible track record of fixing bugs. As of so far it seems giving them a minute, week, or month has no difference. In the past other vendors have had issues with timely fixing their bugs or trying to squash disclosers, that's why lists like full disclosure exist to this day.
lostlogin|13 years ago
runjake|13 years ago
Maybe Sam Bowne (the author) didn't formally notify Apple until he had more solid details, but he certainly made the issue publicly-known before this. It wasn't a surprise attack on anyone.
dfc|13 years ago
"The new version of the attack is powerful enough that I decided to formally notify Apple. I don't expect them to care much--Microsoft certainly didn't think this was important to them, and Windows is much more vulnerable."
Its also worth noting that while this vuln has a high availability impact it is also requires very specific network access, ie you can't run this from your cable modem and kill a random box on the internet.
danielbarla|13 years ago
I also think that a good compromise would be to pass on the exploit information to some 3rd party, tasked with releasing full details at a certain date (or simply, the responsible release of the exploit). The focus of pressure would then shift from the researcher to this 3rd party, which would presumably have the means to resist the pressure.
sigjuice|13 years ago
X-Istence|13 years ago
pixl97|13 years ago
metalruler|13 years ago
http://www.physnet.uni-hamburg.de/physnet/security/vulnerabi...
sargun|13 years ago
dfc|13 years ago
alexkus|13 years ago
teardrop?
highwind|13 years ago
p1mrx|13 years ago
psionski|13 years ago
noselasd|13 years ago
btgeekboy|13 years ago
newhouseb|13 years ago
joejohnson|13 years ago
JBiserkov|13 years ago
"... this one crashes the Mac, and it makes [Windows] Server 2012 restart."
treepunch|13 years ago
perlgeek|13 years ago
crazypyro|13 years ago
lifeguard|13 years ago
http://en.wikipedia.org/wiki/Denial-of-service_attack#Teardr...
sigjuice|13 years ago
myko|13 years ago
http://samsclass.info/ipv6/proj/RA_flood2.htm#10
treepunch|13 years ago