vuln disclosure and risk equilibrium
Some thoughts based on a series of tweets.
“For offence, it doesn’t matter whether the vendor knows a vulnerability exists, it only matters whether the attack works against a target. Fetishising 0day leads to bizarre situations where ppl think that making more vulnerabilities known to more people reduces risk. Fetishising 0day means that people think once a vulnerability is public there’s some sort of automagic immunity.”
So is it possible for disclosing a vulnerability to result in net harm? Maybe, in some circumstances, with some assumptions.
It’s interesting to consider the case of CVE-2016-4657. This is the webkit vulnerability detected when somebody sent a 0day exploit link to an activist. Instead of visiting, he forwarded the link and the malware (Trident/Pegasus) was detected. The bug was of course fixed. But then sometime later, this same vulnerability turned up in the Nintendo Switch. They hadn’t updated their version of webkit, even though the vulnerability was widely known.
So this suggests a certain possible equilibrium. Before disclosure, there are a limited set of individuals with the exploit, but many vulnerable people. After disclosure, the number of vulnerable people goes down, but not to zero, while the ranks of exploit capable attackers increase dramatically.
To apply some made up numbers, you start with 100 million vulnerable iPhones. But the attackers are quite particular about their targets. Even picking targets carefully, as opposed to a spray and pray, they still got caught. So the population in immediate danger is maybe 1000? 10000? Now the vuln is fixed for iPhones, and everybody knows about it. How many Switch owners are in danger? All of them? (I think the likelihood of attack in this scenario is actually kind of minimal. I doubt many Switch owners are using the browser. It’s more interesting as a jailbreak, really, but point stands.) That’s a million?
The same thing played out with HeartBleed. No evidence to suggest in the wild exploitation. Within hours after disclosure, people were snarfing up passwords from a wide range of sites. Again with CloudBleed. Probably not exploited, but then immediately after disclosure, anybody who cared to look could find cached secrets.
Speaking of bleeding, kind of like heart surgery to repair a faulty valve, no? There’s some small risk of the valve failing catastrophically, 0day style, which would be very, very bad. The operation to fix it, however, comes with its own risks. The good news is if you survive the operation, patch intact, you’ll live a long happy life until something else goes wrong.
I still like disclosure, early and often. If only because disclosure is almost inevitable, and lingering wounds are unhealthy. But in terms of broad spectrum risk? The greatest danger could be after disclosure.