Editer l'article Suivre ce blog Administration + Créer mon blog
18 juillet 2009 6 18 /07 /juillet /2009 23:55
As my blog title says, I'm a security watcher. And obviously, I keep an eye on one of the very last full disclosure list: Bugtraq.

Recently, a post drew my attention. It was about AV scanning evasion, using PDF files. And one of the engines that was said to be vulnerable was: Kaspersky... 

But, what was surprising to me was both the tone of the author and the word "forced disclosure" at the top of the advisory.

I understood immediately that again, an independent security searcher had to fight against a vendor, to allow his discovery to be counter analysed (at least!), published if necessary, and then, lead to a patch or update release.

But Kaspersky did not seem to listen to him, and they did not even reply to his numerous emails.

Even when F-Secure sent the PoC to K Labs, and asked them to reply, still no answer.

So Thierry Zoller had to use one of the extreme sides of full disclosure: "forced disclosure". Thus, the vendor could not ignore anymore that alert, since it was publicly announced thnaks to Bugtraq (after they had been notified in due schedule).

And indeed, the day after the Bugtraq publication (to me, a kindda security information broadcast), K Labs promised him a reply with updates...!

Here is the whole story:

This is one of the reasons why I sincerely uphold the full disclosure idea.
Among other risks (e.g. 0days publications leading to exploitations), this is sometimes the only mean to get a reply from vendors, and then, hope to see a patch/update being created.

There is already another world of information security disclosure, which is silent and filtered. It leads to an underground economy (cf. Symantec report), where you can buy 0days and malwares (not detected by the AV you choose)...

This is again a reason why we need security search and full disclosure, to find and announce security holes, and then try counter-measures before there is a vendor solution (or during the deployment delay).

What if tomorrow, there is no more full disclosure at all? a remote 0day exploit being discovered in a virtualization solution could bring the chaos to a lot of infrastructures (sounds familiar hmmm?). With no information, no remediation (at first)... What if the vendor does not react quite quickly, and does not offer technical support needed?

In that world, we would all have to pay for the information security, else we could only watch what's going on, incident after incident, and see the victims count increasing...

Partager cet article



dissertation 07/09/2009 07:14

Blogs are so informative where we get lots of information on any topic. Nice job keep it up!!