For better or for worse, I don't think there is anyone in the security field today that doesn't understand the value of security researchers, and their work to discover vulnerabilities within technologies in use by businesses and consumers. In fact, for a lot of technology providers these researchers can represent free consulting work. Most security researchers – like those at CoreLabs IT Security Research – follow a process of responsible disclosure. Upon discovery and validation of a vulnerability, they contact the developer of the affected technology through appropriate channels and supply information that validates the identified vulnerability. A reasonable timeline is then established prior to public disclosure in order to allow the vendor to properly prepare patching and remediation resources for their customers.
Most security researchers are driven by social responsibility and publicly disclose the vulnerability to help people better protect themselves from a particular threat. Given the fact that even the largest vendors have come to understand the negative impact of unpatched vulnerabilities upon those who use them, it seemed to me that the days of convincing these firms to release a patch were mostly behind us. So it was interesting me to see not only the two vulnerability advisories released by CoreLabs this week, but the tales behind these two discoveries, and the two vendors involved.
The first advisory was posted this past Tuesday and details a vulnerability within Adobe Shockwave Player. It contains a report timeline which shows the security teams at Adobe and Core Security worked together cooperatively to ensure the issues were remediated and, as a result, the users became better protected in as short a timeline as possible. In fact, Adobe issued its own security bulletin in conjunction with ours last Tuesday in order to be transparent and do the right thing for their users. In a perfect world there would be no security bugs. But our world is not perfect so the next best thing is a coordinated effort to find and fix the bugs, and communicate them responsibly.
In contrast to the cooperative process with Adobe was the one behind the advisory we just released yesterday regarding a vulnerability in the Apple OS X Sandbox. This advisory is in the category "user release", which is a rare thing for us to do. It means despite our best efforts the vendor chose not to patch the code we identified as vulnerable. (You might note a few differences in the report timelines included within each of the two advisories). Because this is a vulnerability within Apple OS X we made a well-thought decision to share information in order to educate users on how to protect themselves from harm. According to CoreLabs, “Several of the default pre-defined sandbox profiles don't properly limit all the available mechanisms and therefore allow exercising part of the restricted functionality. Namely, sending Apple events is possible within the no-network sandbox (kSBXProfileNoNetwork). A compromised application hypothetically restricted by the use of the no-network profile may have access to network resources through the use of Apple events to invoke the execution of other applications not directly restricted by the sandbox.”
Testing to ensure our recommendations for patching actually address the problem means a lot of work to us. We are glad to do it. However, Caveat Emptor is something technology vendors can hide behind – and in my opinion not a valid reason for letting known issues continue to exist in their products. What makes this more interesting is the vulnerability found by CoreLabs within the Apple OX Sandbox is very similar to the issues Charlie Miller found and reported in 2008 at Black Hat Japan. At that time Apple modified the profile to prevent the vulnerability reported from being triggered, so the question remains why has Apple chosen not to do that in this instance?
I'm not smart enough to answer that question; but I can make a declaration - finding and responsibly reporting security bugs makes the world safer, and here at Core we are committed to doing that. So expect to see us continue to work with security conscious vendors to find and fix the next zero day before it bites us all. PS - On a related note, just two days ago Apple revoked Charlie Miller’s app developer license in response to his work to demonstrate a flaw in Apple’s process for reviewing new apps. Check out “Apple Punishes Researcher Charlie Miller For Finding Potential Security Flaw” by Gerry Smith of HuffPost Tech. And more on Apple sandboxing this week from the Mac Observer, ZDNet’s The Apple Core and CSO: Rant: Welcome to Apple's sandbox -CSO, November 10, 2011, by David Braue Understanding The Debate Over Apple’s Mac App Store Sandbox - The Mac Observer, November 9, 2011, by Ted Landau Sandboxing divides Mac App Store developers - The Apple Core (ZDNet), November 8, 2011, by Jason D. O’Grady