[sldev] Viewer security vulnerability disclosure group

Celierra Darling Celierra at gmail.com
Fri Dec 26 20:50:56 PST 2008

Previous message: [sldev] Viewer security vulnerability disclosure group
Next message: [sldev] Viewer security vulnerability disclosure group
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Dec 26, 2008 at 3:27 PM,  <ordinal.malaprop at fastmail.fm> wrote:
> One can't implement a workaround without
> actually knowing about an exploit...

There are plenty of cases where one can release a workaround or patch
without giving away how to exploit the vulnerability.  One example is
the Kaminsky-found DNS hole (patch: randomize ports).  Another is the
Quicktime-to-SL hole (workaround: disable playback via Quicktime).
Although you get notified that there *exists* a vulnerability
somewhere there, you're not getting details at the level of "the bug
is at llhippos.cpp:123....".  The logic goes, if you release only the
workarounds to the public instead of the exploit details, you make
crackers' lives a bit harder, and so give your users more time to
apply the patches/workarounds before exploits get into the wild.

> The question is whether exposing an exploit will mean somebody who otherwise
> wouldn't now manages to exploit the exploit before the victim can fix
> things. In practice I think history indicates that discovered exploits tend
> to propagate through media quite apart from security lists.

I don't see why an early disclosure group would be much of a hindrance
in a zero-day case.  Suppose an exploit is floating in the wild
already, and LL for some reason does early disclosure anyway.  Then at
least one of the teams of developers (third party and/or LL) would
likely think up some sort of patch or workaround.  If nobody can
figure out how to mitigate it (which would be rather extraordinary!),
then I don't see why they wouldn't immediately go for public help in
coming up with one.

Are you worried about the delay between the two, or am I missing
something?  If you are, then perhaps all that's needed is recognition
that in a case where an exploit is already actively going around,
there's not much gain in releasing to a limited group first (since
'they' already have the exploit).  But I'd think that to be rather
self-evident, to be honest.

Celierra

Previous message: [sldev] Viewer security vulnerability disclosure group
Next message: [sldev] Viewer security vulnerability disclosure group
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list