The recent WikiLeaks publications regarding “Vault 7” is certainly breathtaking in scope. But, from a cursory browsing, it represents nothing new. As long as we keep innovating, code will have bugs. As long as there are bugs, there will be zero days. And as long as there is an advantage to be gained by employing zero-day exploits, hackers gonna hack.
And while we need to have the Responsible Disclosure conversation, there are some similarly thorny problems lurking in the shadows. Disclosing a bug is only the first step in eliminating the threat. A vendor needs to patch the bug, which may be simple. Or it may be difficult. Either way, it’s only the next step in the story.
The lurking questions come when we consider how to deliver the patch.
• Should the patch be delivered automatically by the vendor? Maybe, but how comfortable am I having MegaCorp, the manufacturer of my hyper-intelligent, network attached blender, pushing updates into my network. How do I know that’s safe? And what if I’m in the middle of entertaining a group of friends when the blender has to reboot because of a critical security update?
• Should I, as the product owner, have to apply the patch myself? Again, maybe. But how much time am I going to have to spend updating all my devices? And is it realistic to expect every user of electronic devices to manually up them on a regular basis? Probably not.
• Finally, If I’m using my device in my employer’s network, should my employer be able to compel me to patch my gear? Maybe. But how will my employer validate that I’ve done so? I don’t want my employer putting anything on my personal device.
It turns out that patching equipment in the field is a messy business. When done right, nobody notices – most of the time. But even when it’s done right, sometimes there are service disruptions, such as when a restart is required. Where customer approval is required, it sometimes happens long after the patch is available or not at all.
Between consumers, manufacturers, and the network operators who allow third parties to connect, there are a set of legitimate, conflicting interests. Capitalizing on any agreement we get on Responsible Disclosure will require reconciliation of those interests. We need this public conversation as urgently as we need the Responsible Disclosure discussion.
The unspoken question is: do we have the stomach to adopt the adage “Patchers gonna patch”?
Dave Farrow is the Senior Director of Information Security for Barracuda. Connect with him on LinkedIn here.