When Identifying Problem Sources is Difficult
When security researchers butt heads with companies, the resulting disagreements can sometimes fester into ongoing dispute that doesn't quite seem to work out either way (for the record, the linked iPhone Safari exploit doesn't seem to work on OS X).
Apple is probably the most famous company for maintaining silence over reported or disclosed vulnerability information (now that Microsoft have modified their approach), and it is routinely criticised by researchers who might or might not have anything of worth with their vulnerability disclosures (something Apple's silence makes difficult for their userbase to follow).
With the iPhone case mentioned above, interesting comments were provided by web application researcher Kuza, who pointed out that even if the Apple team were correct in pointing out that the vulnerability was only technically a minor bug (if at all), then this is a situation that needs to change.
Developers need to be cognizant of the risks posed by the user who is double clicking on anything that they come across - something that most developers are aware of, at least as far as it comes to people randomly downloading content from the Internet or other networks.
Where there needs to be more awareness is with how applications should handle poor information being presented from a vector that is not considered a normal attack vector. In the case of the iPhone Safari bug, the argument being made was that it is still a serious problem when the local user opens and interacts with valid HTML / JavaScript content from the local filesystem - there could still be malicious content that passes data out to a remote system.
Where do developers draw the line when it comes to identifying and managing risk vectors?
Recent disclosures about the Apple QuickTime .qtl vulnerability (with the initial vector patched by Mozilla, and now Apple releasing a patch to address the vulnerability) highlight the problem that is correct identification of the underlying vulnerability and associated assumption of responsibility.
This problem hasn't gone away just with this fix. Recent active discussion on security mailing lists has centred around how Windows handles URIs that are being passed between applications on the system when Internet Explorer 7 is present (as it changes the methods used for URI interaction). One particular approach identified a number of applications that appeared to be vulnerable, including Firefox, Skype, Acrobat Reader, Miranda, and Netscape.
Is it up to developers of the applications listed above to patch this behaviour in their own applications like Mozilla did with the QTL issue (and also with this one)? Or, are they to ignore it and pressure Microsoft to fix the strange behaviour of the system?
Security researchers looking to fill out their CV with the number of vulnerable applications found contribute to the problem as they happily list the third party applications as being vulnerable when it is the underlying system at fault. Making the matter even more confusing is Microsoft's response of:
'After its thorough investigation, Microsoft has revealed that this is not a vulnerability in a Microsoft product.'
8 October 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.