Wednesday, August 6, 2008

Microsoft and Oracle Helping "Time-to-Fix" Problems

Submitted by Ryan Barnett 8/6/2008

Before I talk to the title of this post, I have to provide a little back story. I have had an ongoing DRAFT blog post whose subject was basically a rant against many vendors who were unwilling to offer vulnerability details. Every now and then I would review and update it a bit, but I never got to the point of actually posting it. I figured it wouldn't do much good in the grand scheme of things and the mere act of updating it provided adequate cathartic relief that a public post was not required. There has been some recent developments, however that has allowed me to dust off my post and to put a "kudos" spin on it :)

I have long been a proponent of providing options for people to mitigate identified vulnerabilities. We all realize that the traditional software patching process takes way too long to complete and push out into production when considering that the time it takes for the bad guys to create worm-able exploit code is usually measured in days. When you combine this with most vendor's vulnerability disclosure policies (which is essentially not to disclose any details), then it is obvious that the bad guys have a distinct advantage in this particular arms race...

Ideally, all vulnerability researchers would work with the vendor and they would jointly release details with patches and then customers would immediately implement them on production hosts. Unfortunately, reality is much different. Researchers often have their
own agendas and decided to release vulnerability details on their own. In these cases, the end users have no mitigation options provided by the vendor and are thus exposed to attacks. For those situations where the researchers and the vendor work together, then the end user at least has a fix that they can apply. The problem is that the standard time-to-fix for organizations to test and install patches is usually a couple months. So, the vendor has pushed the pig over the fence onto the customer and essentially takes a "it's now your problem now" approach.

What would be useful would be some technical details on the vulnerabilities that are addressed within the patches. Let's take a look at Oracle's
position on public disclosure. The fact that this is Oracle is irrelevant as many vendors share this same view and that is that they don't want to disclose any technical details of a vulnerability BEFORE patches are released. I really can't fault them for this stance as they want to ensure that they have patches ready. What I am focusing on here is when they have a patch set ready, they should provide enough technical details about the vulnerability so that an organization can implement some other mitigation options until the actual patches are installed. Unfortunately, the vendors position is that they didn't want to release the details as to prevent the bad guys from obtaining the info. What they are missing, however, is that both the good guys (Sourcefire, iDefense, etc...) and the bad guys are reverse engineering the vendors patches to uncover the details about the vulnerability. The only people who don't have any details are the end users.

So the point is that Pandora is already out of the box when vendors release patches. What they should do then is to give technical details for security folks to implement some defenses (for IDSs/IPSs). A great example of this is when bleeding edge/emerging threats folks would create Snort signatures so that an organization can identify if someone is attempting to exploit a flaw.

Now, the whole point of this post is to highlight that I have been fighting the good fight with many vendors to try and get them to see the light on the value of either releasing technical details on web-based vulnerabilities so that end users can create virtual patches with a web application firewall, or even better, for the vendor to release some virtual patches themselves (using the ModSecurity rules language). Well, we haven't achieved the latter one yet but we are seeing signs that both Oracle and Microsoft are starting to address the former. Specifically, Oracle/BEA recently released details about a
WebLogic plug-in for Apache and in the mitigation section they actually mentioned the use of ModSecurity to address the problem! That is a huge step and something that I am extremely excited about. Then just within the last week we saw the announcement of Microsoft's Active Protections Program (MAPP). Here is the short overview -

The Microsoft Active Protections Program (MAPP) is a new program that will provide vulnerability information to security software providers in advance of Microsoft Corp.’s monthly security update release. By receiving vulnerability information earlier, security software providers can give customers potential improvements to provide security protection features, such as third-party intrusion detection systems, intrusion prevention systems or security software signatures.
This is certainly an interesting initiative and may help organizations to receive more timely mitigation options to help protect themselves until the official patches are deployed.

Overall, I have have say GREAT job Oracle and Microsoft for truly helping your customers to close their time-to-fix windows.

No comments: