How to report security issues

When you find a serious security issue in a widely deployed program, please for the love of Murphy don’t report it on the program’s public forum. Certainly not before you’ve exhausted every other method of privately contacting the author, and been ignored for a good long time. That’s somewhere between cruel and crazy.


Comment by Bill #
2003-02-17 10:59:17

Yikes, that is a bad place to point out a vulnerability. I had just upgraded to 2.61 a few hours ago, and just now went back to the MT site to browse through the boards, when I noticed the warning. I’m assuming all I need is the new which they posted, since they’ve allowed that to be downloaded separately.

Comment by Phil Ringnalda #
2003-02-17 11:16:36

Yep, a new will fix things right up (though you won’t get the ”I run the latest and greatest version” effect from the ”Powered by MT” box on your main page unless you upgrade whichever file it is that holds the version number (probably or; I’ve never looked before but now I’m tempted to hack it into something that reflects my version being a bit off the mainstream).

Comment by Bill #
2003-02-17 11:38:53

You’re correct. It’s in

Comment by Phil Ringnalda #
2003-02-17 11:53:48

Yeah, I think I’ll run version π until I find out that something actually relies on the version number.

Comment by Mark #
2003-02-17 19:03:10

I’m just having all kinds of fun with HTML entities today. Pi! I love it!

Comment by Phil Ringnalda #
2003-02-17 19:33:24

The funny thing is that I haven’t really thought about what might be usable since back when IE6 users were early adopters, or Netscape could only mean 4.x, or Mozilla versions included an ”M”. I just fired up IE, sure that one or the other of our arrows and pies would fail. Nope, no problem. Yours are much better looking in Lynx, though: π just shows as a p, while your arrows are built from -> and the » reminds me of the bad old days, building graphic displays in DOS, with ye olde double-line upper-right corner.

Comment by oops #
2003-02-18 19:29:12

Warning: open_basedir restriction in effect. File is in wrong directory in /home/.quinoven/philor/ on line 339

Comment by Phil Ringnalda #
2003-02-18 20:44:15

The cool thing about that is that now nobody is going to take my advice about anything computer-related for quite a while, so I’ll have lots of time to do other things (like write ”I will not include machine names in paths when I don’t control the machine” 10,000 times). For extra bonus stupidity, this is now the third time I’ve fixed it, having done a quick fix on the static file when I didn’t have time to fix the template, then fixing the template when (after far too long) I realized that a comment had rebuilt the page for me, then just now fixing the included template modules and the PHP files that they include. Maybe I better make that 20,000 times.

Comment by Aaron Swartz #
2003-02-20 07:54:13

Intelligent people disagree on this point.

Most of the smart security engineers I know say you should release the vulnerability publically.

The smartest say you should include source code to exploit the vulnerability, so other engineers can understand it better and users can determine whether their system is vulnerable.

As one wrote: ”Programmers who create security holes will suffer if those security holes are disclosed; good! They obviously need more incentive to check their work.”

Comment by Phil Ringnalda #
2003-02-20 08:36:07

Of course the world isn’t as black and white as either view. If you discover a vulnerability in one of the Borg’s products, you probably do need to shout it from the rooftops, because the patch may or may not come months later, while a bunch of eyes might find a way to shut down the hole in the meantime. From what little following of the security world I’ve done, that’s the situation they face: you find a vulnerability in IE, tell Microsoft, and then for months on end you hear nothing. However, a hole that leaves the system wide open, in a product that you know will be patched within minutes, just doesn’t seem like a candidate for public announcement to me. Since I had the day off, I was able to patch my MT within minutes after the patch was available, but on a normal workday I wouldn’t have been able to do it (or likely to hear about it) for several hours. What would have been gained by telling world+dog how to destroy my weblog in the meantime? Even through the whole grey area in the middle, I’m not very inclined toward public announcement, since I don’t actually subscribe to every single security-related mailing list in the world, but the crackers certainly do, so you end up announcing it to the other security professionals who may or may not be able to figure out a way to block the vulnerability, and may or may not want to bother trying, and I may or may not hear about the fix if they do find one, and at the same time you give every cracker a roadmap.

So, nothing’s black and white, but… if you find a vulnerability in MT, which affects every single installation, leaving them wide open, email Ben and give him at least an hour to release a patch, before you post about it on his message board with instructions for how to get into every single MT installation. And if he does release a patch, give people a few days to install it, for those who are travelling or otherwise out of touch. In this particular case, there’s no need for other people to know about the details, to determine whether they are vulnerable (they are.), or to develop their own patch (it was trivial, diff the new, so there’s nothing to be gained by letting everyone who reads the forums know how to get in.

Sigh. Nothing’s ever as simple as I’d like it to be.

Trackback by Among Other Things #
2003-02-17 12:08:33

Version numbers…

should not be this much fun.

Trackback by #
2004-05-12 14:13:31

Security Issue Reporting

Don’t report them in a forum. When you find a serious security issue in a widely deployed program, please for…

Name (required)
E-mail (required - never shown publicly)
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.