In a recent bout of press-mongering, eEye has decided to "predisclose" a security issue in SYMC's software. In other words, eEye has published a report saying that there is a vulnerability and what products it impacts, but doesn't give any of the actual details pending a patch from Symantec. Because of the eEye hype, outlets like CNN picked this story up and ran with it, painting a pretty damning picture.
Frankly, I'm surprised that eEye is doing this. While it serves their purposes of generating press (that is, after all, what eEye's always been best at), it's clearly antagonistic to Symantec and I would argue that it puts users at risk. Folks at eEye would probably assert that it's not dangerous to the community because no details of the exploit were published. However, in the article, it's pointed out that eEye demonstrated the vulnerability to the Associated Press... What assurances did eEye have that these AP journalists weren't technically astute enough to understand what about the situation would exploit the vulnerability? Isn't it within the realm of possibility that the journalist witnessing the exploit in action might knowningly or unknowingly divulge enough information to their readers to let the cat out of the bag? If this is going to be eEye's standard disclosure process going forward, doesn't this seem a bit dangerous?
Alright, assuming that the open demonstration of the issue to the press won't lead to the details being exposed - how far along is Symantec in the patch process? Maybe a patch is right on the heels of this, but I suspect it probably isn't. Even if a patch was imminent when eEye made their announcement, anything could happen over at Symantec to delay a release - QA problems could arise requiring more testing, additional information could be discovered about the patch that requires a rewrite, etc. Since eEye didn't wait for the patch, they don't know what might happen internal to Symantec to slow down the patch development. So, attackers have an unspecified period of time to go over the SYMC AV product with a fine-toothed comb in case they're looking for this issue.
So, to sum up:
1) Attackers now have a "lead" on where to look to find a juicy issue
2) Symantec has a full-blown marketing issue to contend with as they struggle to patch this 0-day
3) There's the potential for eEye researchers, AP journalists, or other "in the know" people to divulge information about this ahead of a patch
Needless to say, I'm not happy about what eEye's done here. In particular, I'm upset becuase of their hypocrisy. Either you respect the disclosure process and let the vendor release a patch before disclosing or you don't. But don't pretend you're an upstanding citizen while at the same time undermining security for millions of people and sabotaging another firm's image to get press for yourself.
Posted by Ed at May 26, 2006 10:21 AM | TrackBack