Lancope, Inc., a leader in network visibility and security intelligence, presented with Microsoft at Virus Bulletin 2013 in Berlin, Germany on Wednesday, October 2. Lancope’s Director of Security Research, Tom Cross, co-presented a session with Holly Stewart, Sr. Program Manager Lead at Microsoft Malware Protection Center, covering best practices for public disclosure of the fact that a security vulnerability is being exploited in the wild. The session defined the difference between vulnerability disclosure and disclosure of exploitation, and illustrated scenarios in which exploitation information can help aid the public in defending against active threats, as well as scenarios in which exploitation information can result in increased attack activity.
Cross and Stewart discussed the ethics and timing of exploitation disclosure, presenting examples from various, real-world case studies. “Disclosing the fact that exploitation is occurring is important for many reasons, including helping IT professionals and software vendors prioritise defensive efforts,” said Stewart. “However, exploitation disclosure can also attract the attention of attackers and accelerate attack activity.”
“New vulnerabilities may be uncovered by security professionals in the course of analysing malware samples or investigating breaches,” said Cross. “These security professionals are faced with a challenging ethical dilemma. There is attack activity going on that needs to be stopped as soon as possible, but the responsible software vendor may not know about the vulnerability in question and may need time to prepare a patch. As these circumstances have become increasingly common, it is important to understand the associated ethical considerations.”