I wasn’t going to join the debate on relative merits of Dave Maynor/Johnny Cache’s disclosure of vulnerabilities in device drivers at Black Hat 2006, but Bruce Schneier’s post calling it Faux Disclosure, has annoyed me enough that I feel obliged to comment now. In particular he says:

Full disclosure is the only thing that forces vendors to fix security problems. The further we move away from full disclosure, the less incentive vendors have to fix problems and the more at-risk we all are.

I think Bruce is missing a vital thought here that being, it is the threat of full disclosure and the effect that that disclosure will have on their customers that forces vendors to fix problems. Full disclosure without a remedy, when a vendor is working in a timely fashion to resolve the issue does nothing but hurt the end user. The fact of the matter is that given that patches were not yet available from the vendor, that it would have been incredibly irresponsible of Maynor and Cache to disclose the exact details of the vulnerability.
That’s my take on it at least.
Clearly, the issue of when and how much to disclose is still a hugely open topic.
I know several of our readers were at Blackhat and at least one participated on the Vulnerability Disclosure Panel, what did you think of what was said there? Has your opinion changed in light of the disclosure at Blackhat of yet another Cisco vulnerability?
[Edit: Fixed broken link. Also see Brian Kreb's interview with David Maynor]

Oh never mind. It’s just another sendmail vulnerability. From the commentary over at Securiteam and Dailydave by Gadi Evron, one would think it was yet another “End of the Internet Vulnerability”. But really people, it’s just another vulnerability. Sure it’s more serious then some, but patch and move on. It’s hardly the end of the world.
Photo cred: Chris Yeung

Oracle has just released fixes for 82 vulnerabilities.
After taking several paragraphs to say “Many experts external to Oracle feel that patches for critical vulnerabilities are too slow in coming from the esteemed database giant, and have criticized the company for its slowness in responding to reports originating with outsiders”, Brian Krebs notes that security researchers such as Alexander Kornbrust and David Litchfield have reported at least 137 Oracle vulns which remain unfixed. He then makes an excellent point:

If we consider that Oracle finds more than 75 percent of flaws in-house, and the total number of the unpatched bugs reported to Oracle just by the above-mentioned security researchers is 137, how many flaws has Oracle uncovered in-house that it still hasn’t fixed? Not sure I’ll get the answer from Oracle, but at least I have asked the question.

The 75% figure comes from Oracle, and is in principle impossible to know with precision. Its accuracy depends on the number of Oracle zero-days out there. As Krebs observes:

[I]f there are widespread attacks against Oracle database servers, it is unlikely most people will ever hear about them — that is, until an affected company is forced through various state data-breach notification laws to go public with a few details (none of which are likely to include the affected hardware or software.)