Can alerting the public about exploitation do more harm than good?

Tom Cross Lancope
Holly Stewart Microsoft

Much has been written on the ethics and timing of vulnerability disclosure, but what about exploitation? When a vulnerability is being exploited in the wild, should the general public be informed immediately? This paper will highlight multiple scenarios, showing empirical data from real-world case studies that identify when disclosure can be helpful and when it can do harm.

This session will define the difference between an exploitation disclosure policy and what most people in the security industry are familiar with: the vulnerability disclosure policy. A simple way to define exploitation disclosure is: the public disclosure of the fact that a vulnerability is being exploited in the wild.

Disclosing the fact that exploitation is occurring is important for many reasons. Software vendors and IT professionals need to understand how to prioritize vulnerability remediation - the fact that exploitation is occurring can motivate faster release and deployment of the remediation. Security product vendors need access to real-world exploit samples so they can validate coverage. Network managers need to know in real time what attacks are taking place, so they can be prepared and focus their attention on the right warning signs and mitigations. End-users need to know what the overall threat environment is on the Internet.

What's less clear is how the timing and details related to exploitation disclosure can escalate the general use of a new exploit, and at the same time, instill public panic when users are left without actionable guidance.

This paper will show numerous use cases that span many years of active exploitation data from millions of end-users that sometimes bore the brunt of unfortunate examples of exploitation disclosure. Our use cases talk about the many variables associated with live exploitation, from small-scale targeted attempts to large-scale, malicious toolkit integration that reach tens of thousands of users. We'll also talk about nuances of update availability from vendors. Should the coordination and timing of exploitation disclosure differ based upon the availability of a patch?

In the end, we will provide actionable guidance to anyone who might be involved in this process, from vulnerability researchers, to the targets of exploitation, the media, and even the vendors themselves.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference or register online.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

AusCert2014

Virus Bulletin
In this month's magazine:
  • VBSpam comparative review March 2014
  • VB100 comparative review on Ubuntu Server 12.04LTS
  • The shape of things to come
  • Threat intelligence sharing: tying one hand behind our backs
  • The curse of Necurs, part 1
  • More fast or more dirty?
  • Tofsee botnet
  • Back to VBA
  • Is the security industry up to the new challenges to come?
  • Greetz from academe: No place to Hyde
Virus Bulletin 04 2014
Subscribe now!

Virus Bulletin currently has 231,354 registered users.