Researcher NKTPRO does not like the way Yahoo! manages security reports.
Last year he discovered a XSS Vulnerability in Yahoo! Mail, allowing attackers to steal Yahoo! accounts. After asking for “para-legal” advice, he decided to do the right thing and go for responsible disclosure. Communication was described as “very good” in the beginning, but almost two months later it wasn’t clear if the bug had been fully fixed yet, and no public acknowledgment of the problem nor credits to the reporter were given, anyway.
By contrast, Google maintains a dedicated communication channel for security researchers, is known to fix reported issues very timely and publicly thanks reporters.
Some weeks ago, NKTPRO found another XSS vulnerability affecting Yahoo! blogs, and this one was even worse: persistent, CSS-based and working with IE6, IE7 and Firefox 2 (unless NoScript was installed), it could enable attackers to build worms spreading through Yahoo! networks at a potentially very fast pace. Since our hero is apparently a nice guy, he decided to give Yahoo! a second chance, filing a responsible report again. But after waiting one month, frustrated by its counterpart’s kind of expected (lack of) responsiveness, he gave up and went for full disclosure, greeted by the almost unanimous approval of his fellow sla.ckers.
After full disclosure, the one-month old bug has been fixed in 3 days.
“Full vs responsible disclosure” is a potentially endless debate, but here we can see two different “corporate styles”, Yahoo!’s and Google’s, eliciting different reactions from whitehat hackers and ultimately leading to different results:
You can be open about your issues and your security processes, and “reward” reporters, not necessarily with money prizes, which may become dangerous when they feed an anonymous, uncontrolled vulnerability brokerage market. Most of these guys would just appreciate their name attached to your security page, for the glory and something interesting to add to their CV. In turn, you get valuable bug reports with practical proof of concepts, and a reasonable time frame to make your users safer and run regression tests.
Or you can decide to discourage confidential reports, either by threatening legal consequences for “testers” or just refusing to give public credit on their findings. It can work once, but as soon as it’s clear that responsible disclosure is not an option, you will be forced into tracking every each full disclosure forum out there and playing catch up in a rush because your vulnerabilities are already public and script kiddies may be busy with your users (good luck with code quality).
So, “big brother” concerns aside, do you feel safer with a Yahoo! Mail account or a GMail one?
For xB Browser, for users running XeroBank, we’ve removed noscript and replaces it with SPP. That allows users to protect against cross-site scripting, and false certificates, without dealing with NoScript issues.
SPP can’t obviously stand for Site Pecurity Policy. It wouldn’t make sense (spelling and grammar aside) because SSP is not meant and not going to replace NoScript anytime soon. The SSP we know does not allow “users to protect against” anything, it just allows compliant web sites to protect their own users (which is great, anyway).
So, any hint about this SPP supposed NoScript killer?
However Mozilla developers are working around the clock, and there’s already a patch being privately tested. All the information publicly available so far is that this vulnerability allows a malicious web page to trigger the execution of arbitrary code on the client side, and affects Firefox 2, 3 and likely all the products based on the same rendering engines. Technical details and exploitation proof of concepts are being kept private by Tipping Point as well until the patch is shipped, therefore Mozilla users should be relatively safe: after all we can be 99.99% sure every browser out there is vulnerable to something; we just hope that the bad guys don’t know the details yet.
I can add that, even in this case, NoScript users are the safest.
Not a big deal, really, if you consider FlashBlock a “noise reducer”: it does a great job, in facts, working almost always.
A bit more worrisome, though, if you used to believe FlashBlock could improve your security against Flashvulnerabilities. Your next surprise video star may be way more malicious than Trojan.SWF.Astley…
To be fair, you would be in good company:
Slashdot, whose “flashblock” tag is attached to all the most recent Flash security horror stories
US-CERT (United States Computer Emergency Readiness Team)
If they just looked at FlashBlock’s FAQ, they would have found that the word “security” is never mentioned: a testament both to the good faith of the developers, who honestly advertise FlashBlock as an excellent annoyance blocker rather than a security enhancement, and to the superficiality of some advices.
Dancho is especially inexcusable, since he’s the only one forgetting to mention NoScript, which features similar flash-blocking capabilities but, being developed with security as its main focus, is immune from this and other possible circumventions and, more important, would regard even the most exotic unblockable edge case as a serious bug to be fixed as soon as possible.
