Vendor disclosure to ICSA IDC

[Russ <Russ.Cooper@rc.on.ca>]

I thought I would let you all know of a couple of conversations that
have taken place over the recent "IIS Double-byte Code Vulnerability"
announcement by Microsoft. I believe it is extremely important to the
CVE effort.

Microsoft recently released a security bulletin regarding an internally
discovered vulnerability in IIS. Minor issue, source of the page could
be displayed. The bulletin contained very little information on the
exploit, certainly not enough for us to have considered it for the CVE.

I immediately contacted Scott Culp at Microsoft (secure@microsoft.com)
who is responsible for the bulletins, to ask why there weren't more
details and when we could expect them. Conversation boiled down to MS
not wanting to disclose any more than they had to. I explained the CVE
to Scott and indicated that neither we, nor the ID community, would be
able to detect (accurately) the vulnerability if we didn't have
sufficient information from MS. Scott subsequently had a conversation
with Jason Garms over the issue as a result.

Their decision was to release the details to Pete Cafarchio's Intrusion
Detection Consortium. After discussions with Jason, MS' reasoning was
that the IDC was a reasonable body to release such information to as
they (ICSA) had, in MS' eyes, been extremely useful in the Anti-virus
space at helping MS get information out.

I had a conversation with Pete today regarding this whole issue. He was
extremely surprised to get the request in the first place from MS, and
even more surprised with Scott sent a message to NTBugtraq explaining
MS' decision to release to the IDC (I had suggested to Scott that he
tell us what their plans were once they were decided, I did not expect
to see the decision I saw).

There is no "mechanism" in place for MS to do this in the future. There
are no NDAs covering members of the IDC. MS is relying on good faith not
to have the information distributed far and wide. Obviously, given how
quickly the actual details emerged in public, that good faith isn't
exactly well based. I don't fault the IDC, or whomever it was that
disclosed the info to the "public".

The issue that's relevant to the CVE effort is the level of disdain
Jason had towards my suggestion that the Mitre effort was the right
place to disclose the information. He was not impressed, and that is
something I would like to see changed.

If we, the CVE, is going to attain any level of credibility, we need to
do some marketing to ensure that we are not undermined by past history,
current or future efforts by others. For example, Pete did not even know
about the CVE (or at least that's what he told me), and would love to
hear from someone at Mitre regarding it. I'm not suggesting we need to
do anything with anyone, only that we need to do something to ensure
that this sort of issue does not present a problem to our efforts now,
or in the future.

Whether or not the ICSA is used by MS in the future as the only
destination for disclosure details isn't important. If we're going to be
effective at all we're going to need to ensure we are inside on these
sorts of disclosures, regardless of where they are. We also need to
ensure that we have the ability to incorporate information that might
only be available to a CVE editor under NDA (with some 3rd party) in our
considerations.

This may not be the appropriate forum for such a discussion, but the
issue was raised at the SANS meeting and has not, to my knowledge, been
discussed in this forum since. If we hope to ensure the integrity of our
efforts, we need to move on this.

FYI, expect to see as many as 6 more of these "internally discovered
vulnerabilities" from Microsoft over the next 4 weeks or so as they
back-port security fixes included in SP5 to SP4 and, hopefully, SP3.
Hence the urgency of my concern.

Cheers,
Russ - NTBugtraq Editor