Wolves in sheeps’ clothing

Recent months have seen high-profile public vulnerability disclosures relating to denial of service (DoS) attacks, or low-ranked threats that were later upgraded to high or extremely critical (in the words of the discoverer). It can all be rather confusing for the security industry.

As a consequence, I find myself approached by both customers and colleagues alike as they try to decide who has actually made the correct threat assessment about the vulnerability, and determine why someone got it wrong in the first place.

Even after coordinating the release of an advisory with the public availability of a patch, in a lot of cases the discoverer of the vulnerability and the vulnerable vendor fail to agree on the threat level involved.

In the future, it is hoped that the "Common Vulnerability Scoring System" will help to settle much of the disagreement, but I'm sure that similar problems will still be encountered regularly.

The disparity manifests itself in a number of ways. For the vulnerability discoverer, a higher-ranked threat means more publicity and "kudos" for the researcher, while for the vulnerable vendor, a lower-ranked threat means less publicity and far less notice – hence the natural bias in reporting threat levels.

In other cases, the disparity might arise because the discoverer underestimates the vulnerability or does not have the skills necessary to fully exploit it. In these cases, the vulnerability often gets classified as a DoS or one that does not enable privilege escalation.

For example, take a look at November's proof-of-concept code release for exploiting the unpatched Windows function call in Microsoft's Internet Explorer. While publicly releasing the exploit was both irresponsible, and certainly not worthy of any credible security company, it does highlight the fact that underestimating the threat a vulnerability presents can have severe consequences.

The vulnerability itself had first been publicly disclosed as early as May and labelled as a "crash" that resulted in a DoS (although, according to the discoverer, he originally uncovered it way back in September 2003).

It was classified as a low threat and as a result, no security patch from Microsoft was forthcoming.

However, with more research and time, someone else was able to initiate the Internet Explorer crash in such a way that it could be successfully exploited, thereby allowing them to potentially take control of a victim's computer – suddenly making it a critical threat.

Now, this is not to say that Microsoft doesn't have smart security researchers that couldn't have foreseen this vulnerability becoming critical, but we have to remind ourselves that there are a lot of smart people not employed by Microsoft, and it does take a lot of time to investigate each and every software crash.

The time commonly taken to investigate each and every reported crash or "presumed" security flaw can cause other problems as well.

Consider other public postings around the same timeframe related to the discovery of multiple ISAKMP flaws in multiple vendors' products following the release of the last PROTOS protocol fuzzing tool. Using something like 5,000 test cases, and targeted at a specific product running the protocol, a large number of "vulnerabilities" were uncovered.

The vulnerable vendors promptly released advisories indicating that there were a number of test cases that would result in their software or appliance slowing down, hanging or rebooting, and were consequently labelled as low threat DoS.

Having reviewed many of the product responses to the PROTOS test suite (such as reboots), it is quite probable that some vendors might have underestimated the vulnerabilities.

Let's hope that customers apply the patches that have been made available for these low-risk threats before someone else uncovers a way to exploit them in a more significant way – turning them into something "extremely critical".

Gunter Ollmann is director of X-Force, Internet Security Systems