Page 15 - index
P. 15
Two and a half months is a long time for a vendor to take to fix a vulnerability that is being
exploited just after disclosure. It also begs the question: If a vendor has e.g. 50 products,
what is an acceptable time to take to issue patches?
th
On June 5 , the question of time-to-patch became even more pertinent: OpenSSL released
a new set of patches, which fixed 5 vulnerabilities, including one within the handling of DTLS
fragments, which can be exploited (but has not been, at this stage) to cause a buffer
overflow and potentially execute arbitrary code on servers running a vulnerable version of
OpenSSL.
th
While the original vulnerability, disclosed on April 7 , was only rated “Moderately Critical” by
Secunia Research - because it only enables information retrieval information, but not code
execution; with this new series of vulnerabilities, the stakes were raised for everyone to get
their house in order.
In Secunia’s annual Vulnerability Review we see how patches are released within the first 24
hours of disclosure for 79% of all publically known vulnerabilities.
All in all, that answers the question about patch time: two and a half months is too long!
Coordination!
So what lessons does Heartbleed teach us? First and foremost that communication,
coordination and patience are key ingredients to successful disclosure:
There is a reason why we in the security industry must insist on a proper process for
vulnerability coordination and disclosure. We know that premature disclosure increases the
risk of exploits being made, because a patch will not be available, and this puts users at risk.
Successful disclosure involves a lot of people – security researchers, coordinators,
developers and vendors. Their efforts need to be timed and aligned, and that requires a lot
of communication - and patience!
And it is not just the researchers that need a disclosure policy: Companies must also have a
policy for handling security incidents and how to fix and coordinate them.
More information about Heartbleed: secunia.com/heartbleed
Secunia Advisories on Heartbleed
15 Cyber Warnings E-Magazine – July 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
