Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

See no vulnerabilities, hear no vulnerabilities

Yesterday, Computerworld reported on a Gartner tidbit that "QuickTime Vulnerability Exposed by Contest Poses Wide Risk". I'm in complete agreement with the title. The QuickTime vulnerability is indeed a pretty nasty one. It impacts both Mac and Windows (including Vista!) machines with any web browser as long as Java and Quicktime are enabled and installed. Pretty bad combination.
Unfortunately, my agreement with the analysts doesn't make it much beyond the title. The second line of the summary is:

The incident highlights the danger of vulnerability research conducted in public.

There's a couple of problems with this. First, the actual vulnerability research was not conducted in public. Dino Dai Zovi, who developed the exploit, wasn't even in Vancouver where the contest was being run. Secondly, I'm not sure what danger was highlighted. I'd call this a success story for responsible disclosure.

Had the contest not been run, Dino might not have found the vulnerability first (certainly he wouldn't have been as motivated as he himself points out in the Computerworld story), and we might not have been so lucky that whomever did find the vulnerability would be content with the normal ZDI payments. Instead they might have decided to sell the vulnerability for much more to malware authors or other digital mobsters (yes, I cringed when I wrote it too, but it's descriptive).

Now had the contest been run in such a manner that the exploit was liable to leak into the wild, I'd agree that it was a risky stunt and possibly not worth the effort. However, that doesn't seem to be the case.

  • 1