Creating and Getting a Security Advisory Published - security

This question comes from my experience with the following question: https://stackoverflow.com/questions/492748/new-responses-icon-on-so-crashes-ie7-closed
In that question, you will see the effort I put fourth in debugging this crash in IE, and in doing so, I can see the potential threat of exploitation and remote code execution.
So, being that I spent the time already, I was wondering if anyone knows all the steps and proper process/procedures one has to take to actually get a real security advisory published? I've never done it, and a couple quick searches didn't turn up anything on the subject.
It's been a week since I posted the question, so this exploit has mold growing on it already, but I still haven't seen it addressed yet, so the threat still exists.
If you have done this type of thing before, would you be willing to help someone out?

The first step is to contact the vendor.
A quick google revealed this page, which, if you click on "I need to report a possible security vulnerability to Microsoft.", instructs you to send a mail to secure[at]microsoft.com. Honestly I'd give that a shot.
Note that after the initial "thank you" mail, you may or may not hear anything back from them until they make decisions about the severity and urgency of the issue, or even until you see the update notification pop up on your own machine.

Related

I found a vulnerability on a website, how do I approach the company about it?

This is the first time I have found a vulnerability on a website.
A client just wanted some data scraped from an auction website.
while collecting the clients data I noticed that if something sold you would need to buy a yearly subscription to see how much it sold for, glossary, item info etc.
But I found that the price it sold for is still being injected by JavaScript but not being displayed and this is a feature the ask customers to pay for.
Just wanted to get advice from people who usually test vulnerabilities on how they approach the companies about the vulnerability.
Thank in advance..
First of all, StackOverflow is more focused on software development, the Security StackExchange would be more appropriate to ask such questions.
If I understood the context correctly, you do not have any security audit contract that explicitly allows you to look for vulnerabilities. Yet, you were missioned to scrape their website, so looking at their code is part of what you had to do. I would say the answer depends on whether you were in the scope of your mission or not. Did you notice this flaw without even trying or did you dig more that you should have ?
If this flaw appeared to you while you were doing the job you were asked to do, then I would say it's pretty safe to just email them in the the context of your job.
If this vulnerability is too far out of your scope, then be careful because if they don't like it, worst case scenario they could very well pressure your company to fire you or something (they would be total idiots to do so, but better be careful when dealing with security). If you are in this scenario, I suggest you report the vulnerability "anonymously" (doesn't have to be over complicated, simply use an email address not containing your name or the name of your company and you'll be alright). You could also check out bug bounty platforms to see if they are affiliated to any program. Also some platforms such as openbugbounty provide ways to report vulnerabilities "anonymously".
In my experience, I've never seen any company being total jerk and going against someone reporting a vulnerability in good faith, companies are generally concerned about security and will thank you for telling them there's something wrong.
Either way, try to be as descriptive as possible so they can understand the issue and fix it.
Just stating the obvious here : don't disclose this vulnerability publicly or you're exposing yourself to some big trouble.

Hacking and exploiting - How do you deal with any security holes you find?

Today online security is a very important factor. Many businesses are completely based online, and there is tons of sensitive data available to check out only by using your web browser.
Seeking knowledge to secure my own applications I've found that I'm often testing others applications for exploits and security holes, maybe just for curiosity. As my knowledge on this field has expanded by testing on own applications, reading zero day exploits and by reading the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, I've come to realize that a majority of online web applications are really exposed to a lot of security holes.
So what do you do? I'm in no interest of destroying or ruining anything, but my biggest "break through" on hacking I decided to alert the administrators of the page. My inquiry was promptly ignored, and the security hole has yet not been fixed. Why wouldn't they wanna fix it? How long will it be before someone with bad intentions break inn and choose to destroy everything?
I wonder why there's not more focus on this these days, and I would think there would be plenty of business opportunities in actually offering to test web applications for security flaws. Is it just me who have a too big curiosity or is there anyone else out there who experience the same? It is punishable by law in Norway to actually try break into a web page, even if you just check the source code and find the "hidden password" there, use it for login, you're already breaking the law.
I once reported a serious authentication vulnerability in a online audiobook store that allowed you to switch the account once you were logged in. I was wary too if I should report this. Because in Germany hacking is forbidden by law too. So I reported the vulnerability anonymously.
The answer was that although they couldn’t check this vulnerability by themselves as the software was maintained by the parent company they were glad for my report.
Later I got a reply in that they confirmed the dangerousness of the vulnerability and that it was fixed now. And they wanted to thank me again for this security report and offered me an iPod and audiobook credits as a gift.
So I’m convinced that reporting a vulnerability is the right way.
"Ive found that Im often testing others applications for exploits and security holes, maybe just for curiosity".
In the UK, we have the "Computer Misuse Act". Now if these applications you're proverbially "looking at" are say Internet based and the ISP's concerned can be bothered to investigate (for purely political motivations) then you're opening yourself up getting fingered. Even doing the slightest "testing" unlesss you are the BBC is sufficient to get you convicted here.
Even Penetration Test houses require Sign Off from companies who wish to undertake formal work to provide security assurance on their systems.
To set expectations on the difficulty in reporting vulnerabilties, I have had this with actual employers where some pretty serious stuff has been raised and people have sat on it for months from the likes of brand damage to even completely shutting down operations to support an annual £100m E-Com environment.
I usually contact the site administrator, although the response is almost ALWAYS "omg you broke my javascript page validation I'll sue you."
People just don't like to hear that their stuff is broken.
Informing the administrator is the best thing to do, but some companies just won't take unsolicited advice. They don't trust or don't believe the source.
Some people would advise you to exploit the security flaw in a damaging way to draw their attention to the danger, but I would recommend against this, and it's possible that you could have serious consequences because of this.
Basically if you've informed them it's no longer your problem (not that it ever was in the first place).
Another way to ensure you get their attention is to provide specific steps as to how it can be exploited. That way it will be easier for whomever recieves the email to verify it, and pass it on to the right people.
But at the end of the line, you owe them nothing, so anything you choose to do is sticking your neck out.
Also, you could even create a new email address for yourself to use to alert the websites, because as you mentioned, some places it would be illegal to even verify the exploit, and some companies would choose to go after you instead of the security flaw.
If it doesn't affect many users, then I think notifying the site administrators is the most you can be expected to do. If the exploit has widespread ramifications (like a Windows security exploit) then you should notify someone in a position to fix the problem, then give them time to fix it before you publish the exploit (if publishing it is your intention).
A lot of people cry about exploit publication, but sometimes that's the only way to get a response. Keep in mind that if you found an exploit, there's a high likelihood that someone with less altruistic intentions has found it and has started exploiting it already.
Edit: Consult a lawyer before you publish anything that could damage a company's reputation.
I experienced the same like you. I once found an exploit in an oscommerce shop where you could download ebooks without paying. I wrote two mails:
1) Developers of oscommerce, they answered "Known issue, just don't use this paypal module, we won't fix"
2) Shop administrator: no answer at all
Actually I have no idea what's the best way to behave ... maybe even publicate the exploit to force the admins to react.
Contact the administrator, not a business-type person. Generally the admin will be thankful for the notice, and the chance to fix the problem before something happens and he gets blamed for it. A higher-up, or the channels a customer service person is going to go through, are the channels where lawyers get involved.
I was part of a group of people who reported an issue we stumbled across on the NAS system at University. The admins were very grateful we found the hole and reported it, and argued with their bosses on our behalf (the people in charge wanted to crucify us).
We informed the main developer about a sql injection vulnerability on their login page. Seriously, it's the classic '<your-sql-here>-- variety. You can't bypass the login, but you can easily execute arbitrary sql. Still hasn't been fixed in 2 months! Not sure what to do now...no one else at my office really cares, which amazes me since we pay so much for every little upgrade and new feature. It also scares me when I think about the code quality and how much stock we are putting in this software.

What advice are you giving your Web user community about the IE security issue?

Perhaps not directly programming related, but definitely product / commercially related. And I can't find a dupe, so I thought I would ask.
I have had a bit of trouble trying to figure out what best to say to people who have called and asked for advice. The Microsoft message is a bit worrying - basically, be worried, lock up everything and hold on tight. Some of the people I have directed towards that route have objected because of what it does to their browsing experience.
The "go get Firefox" message seems to be going down a bit better. What is the real story and what is the best advice to give?
How much actual risk does it pose between now and when MS patches it?
Edit: here are the links that my community seem to be reading...
WSJ
NP
BBC
Switch to another browser, already.
Chrome and Firefox would be my first two choices. Firefox would probably be best for now, just because it has a longer history.
The only way to prevent this on IE is to follow Microsoft's workaround procedures, which will cause a huge headache for users.
Use Firefox
Use NoSript (if you want proper defence in depth). I can simply say 95+% of all client-side exploits requires JavaScript and 90% of the time these are loaded from a 3rd party website. Therefore switching FF and using NoScript is a really good solution.
How much actual risk does it pose
between now and when MS patches it?
If you look at 0days in IE there are bunch of them, and IE got the worst security track. Also it's one of the most targeted application for attackers because there is clear profit in it. Therefore using IE generally not a good idea.
If you have to use IE,
Use protected mode
Use the latest stable version
Keep your windows updated
Run it as least priviliged user
Use a process control and personal firewall application such as Comodo Firewall (process control application if you can use them right can solve many of these problems, but got a massive overhead in user)
Details of previous IE issues, there are lots of them!
http://secunia.com/advisories/product/11/?task=advisories (IE 6)
http://secunia.com/advisories/product/12366/?task=advisories (IE 7)
You can inform them to patch by following some workarounds but as you notice it's not going to save them on the long run.
Apart from switch browser, pay attention to the emergency patch - get it installed.

What should be included in your software product forum so that clients can utilize it to the maximum?

My company is planning to start a forum for our software product which the clients can refer for general FAQ's, problems etc.
Right now we are planning to have:-
User manuals.
Best practices for different section's of the application
Frequently faced problems.
Forum where user can discuss issues with development team.
Any other ideas?
Edit:-
We have RSS and E-mail notification subscription to the forum.
Forum where user can discuss issues
with development team.
I don't know if this is a euphemism for "issue tracker" but if not, make sure you include a way for people to submit bug/feature/enhancement reports and track them to completion. Nothing is worse than not being able to submit a bug report or being able to submit a bug report but only into a black hole.
Communication is key.
If you add an issue tracker as suggested by Kevin, your list seems pretty ok to me.
I'd also suggest that you do not start out with too many different services that require interaction from your side (e.g. your developers) at first - I've seen (too) many good initiatives die simply because nobody in the company had enough time e.g. for regular answering of the forum questions.
In your case, I guess "best practices", "frequent problems" and the forum will all consume regular time from your dev team if you want to keep them alive and up-to-date, especially in the beginning. So I would not add more services at the beginning but make sure to get these right (and you can always add more services later on if you find that the users need them :-).
You.
Show that you care about your customers.
Many useful tips at Creating passionate users blog.

How to collect customer feedback? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
What's the best way to close the loop and have a desktop app "call home" with customer feedback? Right now our code will login to our SMTP server and send me some email.
The site GetSatisfaction has been an increasingly popular way to get customer feedback.
http://getsatisfaction.com/
GetSatisfaction is a community based site that builds a community around your application. Users can post questions, comments, and feedback about and application and get answers to their questions either from other members or from members of the development team themselves.
They also have an API so you can incorporate GetSatifaction into your app, and/or your site.
I've been playing with it for a couple of weeks and it is pretty cool. Kind of like stackoverflow, but for customer feedback.
Feedback from users and programmers simply is one of the most important points of development in my opinion. The whole web2.0 - beta - concept more or less is build around this concept and therefore there should be absolutely no pain involved whatsoever for the user. What does it have to do with your question? I think quite a bit. If you provide a feedback option, make it visible in your application, but don't annoy the user (like MS sometimes does with there feedback thingy on there website above all elements!!). Place it somewhere directly! visible, but discreet. What about a separate menu entry? Some leftover space in the statusbar? Put it there so it is accessible all the time. Why? People really liking your product or who are REALLY annoyed about something will probably find your feedback option in any case, but you will miss the small things. Imagine a user unsure about the value of his input "should I really write him?". This one will probably will not make the afford in searching and in the end these small things make a really outstanding product, don't they? OK, the user found your feedback form, but how should it look and what's next? Keep it simple and don't ask him dozens questions and provoke him with check- and radioboxes. Give him two input fields, one for a title and one for a long description. Not more and not less. Maybe a small text shortly giving him some info what might be useful (OS, program version etc., maybe his email), but leave all this up to him. How to get the message to you and how to show the user that his input counts? In most cases this is simple. Like levand suggested use http and post the comment on a private area on your site and provide a link to his input. After revisiting his input, make it public and accessible for all (if possible). There he can see your response and that you really care etc.. Why not use the mail approach? What about a firewall preventing him to access your site? Duo to spam in quite some modern routers these ports are by default closed and you certainly will not get any response from workers in bigger companies, however port 80 or 443 is often open... (maybe you should check, if the current browser have a proxy installed and use this one..). Although I haven't used GetSatisfaction yet, I somewhat disagree with Nick Hadded, because you don't want third parties to have access to possible private and confidential data. Additionally you want "one face to the customer" and don't want to open up your customers base to someone else. There is SOO much more to tell, but I don't want to get banned for tattling .. haha! THX for caring about the user! :)
You might be interested in UseResponse, open-source (yet not free) hosted customer feedback / idea gathering solution that will be released in December, 2001.
It should run on majority of PHP hosting environments (including shared ones) and according to it's authors it's absorbed only the best features of it's competitors (mentioned in other answers) while will have little-to-none flaws of these.
You could also have the application send a POST http request directly to a URL on your server.
What my friend we are forgetting here is that, does having a mere form on your website enough to convince the users how much effort a Company puts in to act on that precious feedback.
A users' note to a company is a true image about the product or service that they offer. In Web 2.0 culture, people feel proud of being part of continuous development strategy always preached by almost all companies nowadays.
A community engagement platform is the need of the hour & an entry point on ur website that gains enuf traction from visitors to start talking what they feel will leave no stone unturned in getting those precious feedback. Thats where products like GetSatisfaction, UserRules or Zendesk comes in.
A company's active community that involves unimagined ideas, unresolved issues and ofcourse testimonials conveys the better development strategy of the product or service they offer.
Personally, I would also POST the information. However, I would send it to a PHP script that would then insert it into a mySQL database. This way, your data can be pre-sorted and pre-categorized for analysis later. It also gives you the potential to track multiple entries by single users.
There's quite a few options. This site makes the following suggestions
http://www.suggestionbox.com/
http://www.kampyle.com/
http://getsatisfaction.com/
http://www.feedbackify.com/
http://uservoice.com/
http://userecho.com/
http://www.opinionlab.com/content/
http://ideascale.com/
http://sparkbin.net/
http://www.gri.pe/
http://www.dialogcentral.com/
http://websitechat.net/en/
http://www.anymeeting.com/
http://www.facebook.com/
I would recommend just using pre built systems. Saves you the hassle.
Get an Insight is good: http://getaninsight.com/

Resources