That Java vulnerability and the full disclosure debate

But PCW has now disclosed that Oracle has known about the vulnerability since April. Security Explorations, it writes, reported 19 Java security issues to Oracle, including the two vulnerabilities currently being exploited, back on 2 April. This raises the question that if Security Explorations and Oracle both knew about this, who else did?

Certainly other parts of the security industry were aware, and it was already being used in the wild. Kurt Baumgartner, a Kaspersky Lab expert, angrily blogged, “The Java 0day activity that we have been monitoring and preventing for almost the past week has been irresponsibly reported on other blogs, with early posts publicly linking to known sites serving the 0day.”

Today, Symantec has discussed its investigation into the ‘Nitro Gang’ who “have been using this zero-day for several days since August 22.” So there are two facts that can be reasonably asserted: one or more zero-day Java vulnerabilities were in active use before its public disclosure, but since its public disclosure those attacks have sky-rocketed. What isn’t and cannot be known is how many other targeted attacks have succeeded since 2 April when today’s advice could have been issued: switch off Java.

The question then arises, would full disclosure in April (or Google’s view of responsible disclosure, which would have made the vulnerabilities public on 2 May) have protected the public better? Kaspersky’s opinion seems clear. In fact, the anti-malware industry is almost unanimous in condemning what it calls ‘irresponsible’ disclosure; that is disclosure of vulnerabilities and exploits before the vendor concerned produces a patch.

“Full disclosure of how the vulnerability worked, and how to exploit it, in April,” Graham Cluley of Sophos told Infosecurity, “might have resulted in even more people taking advantage of it for criminal ends earlier.”

ESET senior research fellow David Harley was a bit more circumspect, recognizing that it presents problems for the responsible disclosure lobby. “I'm guessing that those who believe that the only way to get major software companies to act in a timely manner is to go public will see this as extra ammunition,” he said, adding, “If [this] information is correct, those of us who advocate responsible disclosure wherever possible will be muttering dark oaths.”

Trend Micro’s Rik Ferguson explained the two views. “Full disclosure benefits criminals without question,” he told Infosecurity. “There is an argument that it also helps security vendors devise protection for vulnerabilities that are not patchable (as well as one for which a patch does exist).” But, he concludes, it is “undeniable that it does not help users, elevating their risk level. It is only when both vulnerability and threat exist that quantifiable risk is apparent.”

This then leaves open the question of ‘quantifiable risk’. What if the risk cannot be quantified? What if a zero-day exploit delivered a zero-day malware with Wiper capabilities? It couldn’t go undetected forever, said Ferguson, “but you'd be getting a good couple of years if you were very, very careful.”

The bottom line today, however, is that there are zero-day Java exploits in the wild. To a man, the security industry hopes that it now spurs Oracle into a speedy patch, and that no user, in David Harley’s words, “should have Java routinely enabled if they can avoid it, because Oracle is not a safe pair of hands.”

What’s Hot on Infosecurity Magazine?