Danish firm outlines two unpatched Safari vulnerabilities
Is the release of information on unpatched software vulnerabilities justified when a breakdown in communication occurs between research and development firms?
The Danish IT security firm Secunia has released an advisory today regarding two unpatched vulnerabilities in Apple's Safari 5 Web browser. These vulnerabilities are so far are not known to be actively exploited; however, if done, they could allow an attacker to run malicious software and conduct spoofing attacks on those using the browser.
The first vulnerability is in Safari's plug-in handling system, where in some instances when interacting with the plug-in (such as by accessing its settings or contextual menus), if you navigate to a new page, the plug-in may be unloaded in a way that allows it to write to freed memory and thereby allow code to be injected into components of memory no longer being controlled by the plug-in process. Secunia has been able to exploit this bug in Safari version 5.1.2 (the Windows version) using the RealPlayer and Adobe Flash plug-ins, though the company warns that other versions may also be affected.
The second vulnerability is a problem with a built-in function called "setInterval," where when exploited, a malicious attack can display arbitrary contents on the screen when a trusted URL is being visited, potentially allowing for spoofing and misleading people visiting those pages. This bug was found in version 5.0.5 of the Web browser, but has been partially fixed in version 5.1.2, though it apparently is still exploitable to some extent.
While Secunia has just released information on these exploits, they have been known for quite a while, with the plug-in vulnerability being around for over 6 months, and the setInterval function bug being known for over 8 months. Secunia apparently contacted Apple regarding its findings, but following little or no response from Apple has followed the guidelines of its disclosure policy and made the information on these exploits public.
The release of this information by Secunia counteracts general practice regarding vulnerabilities, where as a security measure to protect users, they are usually reserved from publication until after a fix has been issued. Vulnerabilities in software are always being uncovered, but most of the time the exploits are proof-of-principle attacks and are not taken advantage of by hackers in part because there is little time for them to do so before a fix is issued. This release by Secunia goes against this paradigm, and gives malicious software developers more opportunity to exploit these vulnerabilities.
Secunia explains its reasoning for this release primarily as a difficulty in coordinating the vulnerability disclosure with Apple, and essentially complains that because Apple did not jump on this issue and provide the firm with proper status reports on the vulnerability, it decided to go ahead with its report of the exploits.
This situation does bring about a question of ethics regarding vulnerabilities in code, and whether a research firm or individual ought to release information about a vulnerability regardless of whether the software developer ever acknowledges it. Ultimately problems in code affect the user, and knowledge of unpatched vulnerabilities puts everyone who uses the software at greater risk. Therefore, even if coordination between two companies breaks down, one might claim the disclosure of unpatched vulnerabilities ought to remain a high priority until a patch is made available.
Despite releasing information about unpatched vulnerabilities, Secunia ironically (or perhaps satirically) leaves us with the words "Stay secure" as a complimentary close in its blog posting, while its actions leave us with questions on the responsibility of how this matter is being handled.