Responsible Disclosure For Dummies

People following such minute ripples in the Web continuum may have noticed the surfacing of a vulnerability announcement for a bit of Apple software, which was published by Tipping Point Security. The flaw was present in CUPS, the default print server used in OS X. More precisely, a programming error (improper input validation) in the Hewlett Packard Graphics Language filter resulted in a memory overwrite which in turn could be used to run arbitrary code on the affected system with the privileges of the process in question.

Quoth Apple: “If Printer Sharing is enabled on a vulnerable machine, a remote attacker may be able to cause arbitrary code execution with the privileges of the ‘lp’ user”. Of course, sharing a printer is about 95% of what CUPS does, so the other scenario (which leads to a mere local privilege escalation) would be quite rare.

The error and its fix were published simultaneously, thanks to an agreement reached between Tipping Point and Apple Inc. According to Tipping Point, the vulnerability was reported to Apple on 2008-08-19 and fixed almost two months later on 2008-10-09 and made public the following day.

Tipping Point Security manages the zero-day initiative, a program through which security researchers are encouraged to share the results of their research with Tipping Point alone, for a fee, (www.zerodayinitiative.com/about/benefits/) so that Tipping Point can in turn contact the vendor of the associated software privatim, as well as create exploit signatures for its protection software and, later, notify other security firms of its choice.

To sum this up, Tipping Point paid someone for the vuln, then updated its product (and only its product), notifying Apple as well. Apple proceeded to sit on the vulnerability for two months, finally releasing a fix as part of their regular update schedule. During this time, everyone except people paying the Tipping Point protection tax (Tipping Point clients individual clients and security companies) were vulnerable, with the added benefit that the flaw was now known not to just one security researcher, but also, certainly, to a number of Tipping Point and Apple employees and possibly to certain others in the security industry. One can safely surmise that the circle of people in the know, once widened past five persons or so, contained some of the closest friends and family of the people listed above, as well as a few random onlookers.

This disclosure model is called, in Tipping Point parlance, “responsible disclosure”. I call it a system made to benefit the people with the most money and least moral qualms – and no-one else.