Security Week 03: Responsible Bugreport Principles

On January 7, the Google Project Zero team specializing in vulnerabilities in software announced changes to the rules for disclosing information about detected bugs (news, fast on the blog). In 2020, Project Zero will disclose vulnerability information 90 days after the first notification of the “affected” vendor. The deadline has not changed, but before that, researchers from Project Zero could publish a report on the problem faster if the software developer managed to release the patch before this deadline. Now Project Zero will wait 90 days, regardless of the availability of the patch.

The new rules are of interest for a number of reasons. Firstly, there is no single standard – how much time to give a software developer to analyze a vulnerability and fix it. The Project Zero team, which regularly detects serious software vulnerabilities, makes such decisions on its own and thus tries to influence the entire industry. Secondly, it is important to change priorities: instead of “let’s close this bug faster”, developers are motivated to fix the vulnerability reliably. Otherwise, it regularly turns out that the patch either does not solve the problem at all, or adds new bugs.

The new disclosure rules for detected vulnerabilities in Project Zero now look like this:

Another important change can be fixed: the rules have become a bit more complicated. The same 90-day period can be extended to 104 days – if the vendor is experiencing difficulties, but can solve the problem in an additional two weeks. There is a short deadline of 7 days for zero-day vulnerabilities: if a bug in software is already exploited by attackers, then there is no point in hiding it from the public. Complicated rules are normal, as there are different cases. For example, earlier errors in patches were processed inconsistently: either as a new vulnerability, or as an addition to the old one. Now they will be added to the existing report, even if it is already publicly available.

The topic of vulnerability disclosure is, by definition, conflicting. A software developer may consider disclosing vulnerability information a blow to his reputation. A researcher who finds a bug can be accused of “PR in someone else’s misfortune.” At least, before the system work of vendors with “white hats” began, the situation in most cases was just that. Over time, perception changes: vulnerabilities exist in any software. You can evaluate a particular company not by the number of bugs found, but by how quickly they are closed. Interaction with independent bug-hunters is also being established – both with the help of bug bounty programs, and through such attempts to establish the rules of the game.

However, this does not mean that all problems have been resolved. What if the bug cannot be closed, such as the checkm8 vulnerability in Apple devices? Is it ethical to disclose that the patch is not working, and the deadline of 90 days has already expired? Therefore, Project Zero added the beta prefix to the new rules and does not exclude their change in the future, according to the results of working with vendors. So far, according to Project Zero, a ninety-day period is enough to close the vulnerability in 97.7% of cases. Be that as it may, changing the approach from “release the patch as soon as possible” to “close the vulnerability securely” is good news.

What else happened:

SHA-1 encryption algorithm has become cheaper to break (newsresearch Work) Researchers carried out a practical attack on SHA-1 back in 2017, but then the necessary computing power at conditional Amazon prices would have cost hundreds of thousands of dollars. New work reduced this amount to $ 45 thousand in theory and to $ 75 thousand in practice – taking into account suboptimal procurement of capacities and training costs. The attack is quite real: if the algorithm is used to encrypt correspondence, you can intercept messages. SHA-1 is almost completely uprooted on the web, but is still used in a number of legacy applications.

Researchers from Malwarebytes found undeletable backdoor in cheap Android smartphones that the American mobile operator distributed as part of the state program to support the poor.

In the latest version of Firefox 72 closed several serious bugs and tools have been introduced to combat “fingerprinting” – user identification by browser settings. The browser gives dozens of parameters to the web, including, for example, installed fonts and plugins. The combination of these settings allows you to determine the user, even if he has limited the use of standard means of identification using cookies. The problem was solved by banning the transfer of information to companies, “about which it is known that they use fingerprinting methods.”

CheckPoint Company explored TikTok messenger. Previously, this application is with Chinese roots banned for use in the US Army. A less politicized CheckPoint study found serious vulnerabilities, including the ability to send videos by an attacker from someone else’s account. Another messenger, ToTok, popular (due to the ban on other services) in the UAE, was banned from the Google Play Store, but then returned – It was enough to change the user agreement, clearly stating there that the program, for example, uploads the user’s address book to its servers.

Facebook company banned “Political” dipheyki. Under the new rules of the social network, for example, you can’t post a modified video with Donald Trump, but you can post with Nicolas Cage. The latter falls into the satire category. I wonder how they will determine? Technical methods are under development, and now it’s not easy to distinguish reality from fiction.

Google temporarily closed Xiaomi webcam access to its Nest Hub smart home automation tool. As a result of a “caching malfunction,” Nest Hub users who connected their Xiaomi camera watched videos and images from other cameras that do not belong to them.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *