- 10 Microsoft research projects
- 10 kitchen gadgets for the geek gourmet
- Verizon trounces competition
- Smartphone smackdown: Storm vs. iPhone
- FBI warns of holiday cyber scams
A pair of Gartner analysts Tuesday denounced a recent hack challenge that uncovered a still-unpatched QuickTime bug, calling it "a risky endeavor" and urging sponsors to reconsider such public contests.
The research manager of TippingPoint, the company that paid $10,000 for the QuickTime vulnerability and its associated exploit, rebutted by saying that at no time was there any danger of the vulnerability escaping from responsible parties.
Dino Dai Zovi was the first to hack a MacBook Pro at CanSecWest, a Vancouver security conference held two weeks ago. For his trouble, Dai Zovi took home the $10,000 prize offered by TippingPoint's Zero Day Initiative, a bug bounty program that's been in operation nearly two years.
Security researchers have called the QuickTime bug, which can be exploited through any Java-enabled browser, "very serious." Apple has yet to patch, or announce when it will patch, the vulnerability.
"Public vulnerability research and 'hacking contests' are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements," said analysts Rich Mogull and Greg Young in a research note published by Gartner on Monday.
"Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue ... could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers."
"There are a lot of definitions of 'responsible disclosure,'" retorted Terri Forslof, TippingPoint's manager of security research. "What it means to us is that the vulnerability and its exploit are kept quiet and the vendor's given the time to patch the issue.
"It comes down to the facts of the case. The [CanSecWest] organizers took great pains to secure the network that was actually used for the challenge. As for the idea that this added some risk [that the vulnerability would be made public], I don't find it to be the case."
Mogull and Young recommended that security vendors call an end to public contests. "Consider ending public vulnerability marketing events, which may lead to unanticipated consequences that endanger IT users," they concluded.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment