… (or should I say "Potatoe" in honor of primary season? )
Chris over at Zero in a Bit has a thoughtful post on the timeline for the recent Real Player vulnerability found by Gleg. This strikes me as the type of thing we need to learn to live with. Though perhaps not optimal to some, it certainly is a better case than the undercover exploit. And in any case, it is pretty difficult to change, given the slow evolution of the discovery/disclosure cycle. There is so much resentment inherent throughout the process, that it ends up creating a hot potato of blame:
- Blame the developers (Chris: "Certainly, Real needs to increase its efforts to reduce security vulnerabilities in its shipping products." If perfect software is the goal, then I can see where he could make this statement. Else, I would love to know what objective measure of effort is expected. I guess this is a good use case for the WTF/Minute.)
- Blame the bugfinders. Actually, I think part of the problem with this evolving situation is that we haven’t blamed bugfinders in the past. Certainly, some high-profile folks have made good name and good money from this process (while increasing risk in the process). Now, bugfinders have to look for different ways to make the name and the money. Enter Gleg.
- Blame the users. Prevailing wisdom appears to be that once the patch is available, it is the users fault if they don’t apply it. This, of course, is prevailing only with folks who work with homogeneous, vanilla, small IT infrastructures. Anyone with significant enterprise experience immediately recognizes the inherent difficulties herein.
I don’t think any of the players actually empathize with the plight of the others and recognize how much misinformation and miscommunication occurs throughout.
You’d think by this stage nobody would rely so heavily on a process that can’t be controlled, especially given that the reliance completely ignores what is widely regarded as conventional wisdom that undercover exploits are common (ain’t no patch for them).
Chris’s post is confused. The Gleg vulnerability is not being used to own people as he suggests. The San’s Diary post he references notes that it’s an older vulnerability – i.e. people are not patched up.