If a manufacturer finds a vulnerability in their software, either through internal processes, or through external penetration tests done by hired firms, should they make users aware of the vulnerability? If yes, should they disclose it immediately upon discovery, or only after updated software is available?
Subscriber Discussion
Should Manufacturers Disclose Vulnerabilities They Find And Fix?
RS
Robert Shih
Nov 20, 2017Usually, I can go on and harp on open testing, yada yada yada. Same old sermon. However, for this security through obfuscation thing to work to any degree, distributors and dealers still need to be kept in the loop.
So in order (tooting a slightly different horn than usual this time): immediate disclosure to distributors, who should then notify dealers, who can then choose to notify valuable end users. Allow the industry press insight into the vulnerability with a mutual understanding that they are indeed taking action, then ask politely that they withhold publication till resolutions are available while fully cooperating with their requests for information.
Then a full court press release a week or two after the patches have been properly disseminated. Give us time to patch it so no opportunists can take advantage of the lapse. Also, give us workarounds and defense methodology while there isn't a firmware based fix immediately available.
Brian Karas
Nov 20, 2017Robert -
That seems like one reasonable approach to making people aware without publicly broadcasting a vulnerability before patches can be rolled out.
bm
bashis mcw
Nov 21, 2017Robert,
Give us time to patch it so no opportunists can take advantage of the lapse. Also, give us workarounds and defense methodology while there isn't a firmware based fix immediately available.
Totally agree on this, however I see the tendency from most vendors that they rather sneak out patches/fixed firmware with obscure notifications or none at all.
I could expect from the moment researcher(s) has notified the vendor and fixed FW has started to be released from the vendor, that the vendor actually HAVE notified their own chain of resellers/distributors.
But what I have seen so far, this seems not to be the case (well, not 100% true, since Axis actually did so in July 2016 for the remote format string), this is one exception what I have experienced - but good one.
Regarding the workaround part, pretty difficult to put into reality w/o sharing enough details - that will also lead to enough details for developing exploits before intended FD. (Read IPS here)
If it's even possible, due to the fact that unauthorised and/or unauthenticated access to vulnerable services/daemons in these kind of devices are most commonly R/O in the filesystem, so you can't actually change anything until new patched FW has been deployed into the device.
U
Undisclosed #1
Nov 21, 2017If it's even possible, due to the fact that unauthorised and/or unauthenticated access to vulnerable services/daemons in these kind of devices are most commonly R/O in the filesystem, so you can't actually change anything until new patched FW has been deployed into the device.
When the filesysytem is ro can’t you set it to rw and copy your changes over in the rc.d everytime?
I remember being able to do this with Axis at least.
bm
bashis mcw
Nov 21, 2017Ah, right, you was U1 in this thread - I was U3.
U
Undisclosed #1
Nov 22, 2017New discussion
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
Newest discussions