The Disclosure Debate Continues….. (part 1,453, 769) to be Continued

Thursday, May 23, 2013

Andy Willingham

11146d62a6c31fb9fac8ac8ac991e08d

Here we go again. Another security researcher who apparently thinks that he knows best because his feelings were hurt by Microsoft. Before I go any futher let me say that I don’t know Tavis personally but I do know that he is uber smart and does a lot of good for the security community.

Over the years I’ve thought a lot about responsible vs. irresponsible disclosure. I’ve written about them from a “look what this goob did” to why I feel that there are very few valid cases for disclosure without a fix being available. (unfortunately I don’t have time to search for the posts I’ve written about it to link) I know that many in the community feels that disclosure is necessary and actually makes us more secure because they can then be aware of vulnerabilities and put work arounds in place until a patch is released. The problem with this argument is that most companies and almost no “normal people” not only don’t have to means to do this but also wouldn’t do it if they could. In business security and IT teams are already in over their head with work and having to find the time to research these things and then test and deploy a work around is just more on their already over full plates.

So now that Tavis feels that Microsoft is the big evil software giant he has decided that the PC’s of 99.9% of windows users being open to attack is an acceptable response. I’m sure he feels that if he found the vulnerability that others have found it also so why not. It doesn’t matter that this will be in Metasploit  probably before this blog is posted. Which makes this available to every hack in the world who wants to be the next big name hacker. It doesn’t matter that whereas a few people may have had this and that they would have targeted a few people now the likelihood of lots of others being targeted has gone up by orders of magnitude.

That is the problem with this type of irresponsible disclosure. The mindset is protect the few at the expense of the majority. Maybe a job in federal government is a possibility for the future.

Cross Posted from AndyITGuy

Possibly Related Articles:
9036
Disclosure Security vulnerability
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.