After growing sick of reading tons and tons of alarmist reports on extremely dangerous vulnerabilities in this and that application, full of details on how the stars need to be perfectly aligned in order for you to inadvertently disclose to the whole world the first and second letter of the name of the application that you are running, I have decided to write this small guide to “writing a responsible vulnerability disclosure”. Follow the simple rules below and I am sure you’ll be able to write professionally-looking vulnerability disclosures in no time.
Step 1. Opening paragraph: some obvious statement that tries to say – possibly twice in the same sentence – why this vulnerability is the most important thing in the world today. It needs to be along the lines of “drop everything you’re doing and get acquainted with this finding; your life, family, and future will soon depend on it.”
Given the rise of the Internet as the main channel for doing business, the following finding will become more and more important as users rely on the Internet to buy goods and services.
Step 2. Now that we’ve been enlightened on the importance of the Internet, thank you, we can be introduced to the vulnerability: the language is for the person “in the know”, making sure that the worst apocalyptic scenario is introduced first.
Convert.exe, written by John Doe from Dellview, NC, is used by virtually every human being to convert PNG-24 image files without transparency to PNG-24 files with transparency. This ubiquitous application is vulnerable to an auditory side-channel attack that allows attackers to guess a user’s password and everything else he’ll be thinking of in the next 72 hours. If you are using Convert.exe, and chances are that you do or will be doing soon, then you’ll be dead in the next 2 hours. Given the diffusion of the application, the human race is at risk of extinction.
Step 3. Now it should be clear to the reader that the world is near its end; time for the most convoluted of the explanations. Notice how you, the researcher, are trying to be mum about the details of the exploitation. After all you are an ethical researcher and you don’t want to endanger the human species by disclosing too much information that could be useful to those pesky script kiddies.
Convert.exe has a feature –enabled by default – that makes a computer beep when a user presses a key on the keyboard that the application does not recognize. An attacker could take advantage of this design flaw by detecting the beep out of a computer’s speaker, analyzing femto-Hertz shifts in its frequency, and using a rainbow table to reduce the search space of the password to the user’s FaceBook account from 2^128 gazillion tries to 2^128 – 3 gazillion tries, thus enormously reducing the amount of time needed to guess the password.
Step 4. Just to make sure, show that you have also found another way to take advantage of this vulnerability. You really have the mindset of a hacker, don’t you?
Additionally, an attacker that was trying to take advance of this vulnerability could also sit next to the user while he logs-in to his bank account, writing down his keystrokes and then attempting to login with his credentials.
Step 5. Now we know for sure that you are a smart researcher. Time to list the mitigating factors, which are those insignificant, little details that could make it a *bit* complicated for a hacker to exploit this vulnerability.
This issue is partially mitigated by the fact that an attacker would have to keep the victim user at gunpoint while he uses Convert.exe, would have to have slept with the user’s wife for a period not shorter than 52 days, and would have to be able to enumerate the first 242 lines of code of the 0.9.7m OpenSSL distribution while blindfold on a stationary bike.
Step 6. Thank God, you have already thought of a temporary solution that will keep all of us safe while John Doe will be hurrying to fix the vulnerability. After all, if John Doe does not want to fix it, you will GO PUBLIC! Let’s hope John Doe will listen. At least for our children.
Turn off the speaker of your computer when you use Convert.exe.
Finally, some references to other people’s work. Hey, this job is all about networking, make sure you don’t piss off people that deserve credit for your findings.
The author wishes to thank Dmitri Zhang whose eminent paper “Exploiting Heap Overflows in Ikea’s Mergön Garbage Bins with Only One Finger” was indispensable for this 7-year research into Convert.exe.
In conclusion, there’s no vulnerability disclosure without users’ comments. Make sure that at least one of the following comments get posted within 3 minutes of your vulnerability disclosure.
Comment 1:
Microsoft sucks, Windows sucks, Microsoft and Windows suck. This is all Microsoft’s fault. You suck.
Comment 2:
Linux rulez! You are 0wn3d!
Comment 3:
Gee, am I missing something or this year BlackHat 2009 will be super-exciting?
