And you were saying?!

Recently we finished another boring week with 90% SQL Injections and simple XSSes, and arrived to a more interesting event: “Yet another” Microsoft bug that is been exploited before Microsoft thought to notifying anyone about it or fix it.

As one of the writers at SecuriTeam, I get emails (and comments) about “why do you publish information about vulnerability X when the vendor has not yet fixed the vulnerability ?”.

Well the problems with the vendors are not just Microsoft, but also Oracle, Cisco, and well almost (if not all) of the other vendors. The big vendors have created something that they call “Responsible Disclosure” where *they* decide if, when and how the vulnerabilities are going to be published (or not).

It may sound a good idea right? the vendor actually wants to fix the vulnerabilities that were found by the researchers (or should I say “hackers” for the newspapers?) and only when the situation is right, they release a fix and an advisory.

Amm.. lets see… Mike Lynn found a vulnerability on Cisco products that affects many of the Internet servers, and that can cause the internet to be actually “down” (what happened to the idea that even with nuclear war, the Internet will survive?). And Cisco on their side, are not going to fix this vulnerability soon, because it requires from people to actually replace the core of Cisco products.

So Cisco filed a lawsuit against Mr. Lynn because of that vulnerability. Now instead of investing their resources on fixing the problem, their resources goes to PR and lawyers. HEY! the truth is still out there (like X files used to say).

Someone can still take advantage of it! It did not go away!

The fact that the vulnerability is not publicly known does not mean that no one can take advantage of it. It just means that it’s harder, nearly impossible to protect against it. And that’s before situations where the vendor does not accept the fact that there is a vulnerability on his product, and disavow the vulnerability or the researcher.

Now if a researcher does publish the vulnerability, then the customers (users) will require from the vendor to actually fix the problem. So now we can have a chance of fixing the problem, something that was impossible to have before.

Another problem is that many of the users out there (most of them, btw, do not read SecuriTeam :( )still did not fixed old vulnerabilities, not to mention newer ones… so why do they worry about Full disclosure of 0days in the first place ?!