Stephen Withers
Monday, 23 March 2009 11:04
Opinion and Analysis
Page 4 of 5
Sophos's Ross Thomas said "The public good must trump personal gain if we're to make any headway against today's increasingly sophisticated criminals. For an employee of a reputable security company to place in danger through his inaction the security, privacy and finances of millions of people is to my mind grotesquely irresponsible, all for the sake of a few grand and another 15 minutes in the limelight. With a successful drive-by browser exploit now likely to cause many millions of dollars worth of damage - not to mention further erode the perceived viability of the Internet as a safe place to do business - I consider such reckless disregard to be unconscionable."
That's a little bit rich coming from a company that sells security software. Wouldn't it be in "the public good" if Sophos gave away its software? Unlike some of its competitors, it doesn't even offer a free 'lite' version of its main product.
Why does Thomas expect Miller to give away the fruits of his labour when his own company doesn't?
[Disclosure: Sophos, like several other security companies, does make its software available to journalists free of charge.]
There have been cases where people have found a vulnerability and publicly released an exploit before the vendor had a patch for the problem. Sometimes that happens when they think the vendor hasn't responded quickly enough to their initial report of the issue, sometimes it's apparently just digital bastardry.
But that's not what Miller did. He might have discovered the flaw over a year ago, but he did not disclose it.
Even now, very little has been revealed about the flaw that won him the prize in the 2009 PWN2OWN competition. It has been 'purchased' by TippingPoint's Zero Day Initiative, which becomes responsible for reporting it to Apple.
(How does TippingPoint benefit from the ZDI? It uses the information to create IPS filters for the vulnerabilities prior to public disclosure, which presumably makes its service more attractive.)
So the rest of us are no better or worse off than we would have been if Miller had reported the bug as soon as he discovered it.
How tardy are vendors when ZDI discloses a vulnerability? You might be in for a surprise when you turn to
page 5.
