Effectiveness of Vulnerability Disclosure

The effectiveness of vulnerability disclosure must come under serious question with the efficiency of malware writers in releasing the Zotob worm just days after Microsoft provided a patch. In Australia, the Holden (General Motors) plant lost AUD$6m worth of production. It seems that these developers are using the patches to provide clues to where the vulnerabilities are. If this is the case, then software patches will have to come in two steps:

1) Limited disclosure of vulnerability, through providing firewall rules to AntiVirus vendors, followed by
2) Specific disclosure of vulnerability, where patches are actually released for the affected software

Of course (1) may be sufficient for hackers to probe for vulnerability by sheer brute-force. However, at least that buys IT departments some time to apply defensive measures without necessarily patching their systems, many which run 24×7.

Conventional approaches fail IT deparments because:

• Turning off unused services is easier said than done for IT departments. Conventional wisdom dictates “Don’t fix it if it ain’t broke”, means that configuration of systems are left as is unless it affects production. The same with installing patches from Microsoft if there was a risk of causing production-control systems to fail.
• Installing individual firewalls on each machine, as opposed to perimeter firewalls also has potential to break production systems. So these aren’t going to get much buy-in either.

A better approach would be the drawbridge and moat strategy. Software should monitor the ports that are open on a box, and watch it for activity over long periods of time. When news of worm releases arrive, then firewalls could be activated on unused ports … equivalent to pulling up the drawbridge when barbarians arrive at the door. This is a very low risk way of securing systems againsts aggressive worms, but at the same time mitigating against the risk of shutting production systems.