What kind of disclosure is this?

16 Sep 2010

I've said in my about page that I am opposed to the concept of "responsible disclosure". The reason is that it takes work to find vulnerabilities, and my opinion is best described by Dino Dai Zovi's post No More Free Bugs. On June 17, 2010, VirusBlokAda published a pdf announcing their discovery of Stuxnet (one of the most interesting malwares of all time!). They disclosed that it had a 0-day exploit related to how Windows processes .lnk files to spread via thumb-drives (CVE-2010-2568). Also it was signed by a legit cert from Realtek (later a variant came out signed by certs from JMicron) and it sought out Siemen's SCADA systems. What interests me right now is it didn't contain just one 0-day, but four 0-days! However, it hasn't been until September 14, 2010 (patch Tuesday) that we found out about and got a patch for one of the additional exploits, which is in the Windows Print Spooler. Microsoft credits Kaspersky Lab and Symantec for independently finding and verifying the additional exploit. Kaspersky has posted that there are still two additional 0-days (for escalation of privileges)!

So lets review the important dates:

  • 0-day: June 17, Stuxnet found and announcement of the .lnk vulnerability
  • Day 46: August 2, Microsoft releases patch MS10-046 for the .lnk vulnerability.
  • Day 89: September 14, Microsoft releases patch MS10-061 for the Print Spooler vuln and discloses the existence of the exploit.
  • Day ?: Patch for privilege escalation vuln 1.
  • Day ?: Patch for privilege escalation vuln 2.

So we all went 89 days totally unprotected and uneducated about the print spooler vuln while it was running around wild and free in a known malware. This is disturbing. I imagine bad guys are getting samples of these malware and reverse engineering them just like the good guys are, and probably incorporating what they find into their own code. If they haven't been, they probably will now! Further, they're probably looking at Stuxnet as we speak, trying to find the two yet to be disclosed privilege escalation vulns.

So what do we call this kind of "disclosure"? And is the malware itself the disclosure of the exploit, or the patch? And do we still call an exploit 0-day on day 89 when it hasn't been disclosed in a paper but existed publicly as a sample that could have been reverse engineered?