Being open about software security vulnerability

Introduction

Vulnerabilities are constantly being researched and detected by the security industry, software companies, cybercriminals and other individuals. Nevertheless, when vulnerability disclosure is considered, the question of how much information to provide and when to make it public is a contentious issue. Lately, I have seen many companies being upfront about the security exposure of the software and remedies they take to address such vulnerabilities. Vulnerabilities enable an intruder run code or access a target system’s memory. The means by which vulnerabilities are exploited are varied and include code injection and buffer overruns; they may be conducted through hacking scripts, applications and free hand coding.

CVE

CVE is Common Vulnerabilities and Exposures. It is a list of common identifiers for publicly known cyber security vulnerabilities. Use of CVE Identifiers, or "CVE IDs," which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables data exchange for cybersecurity automation. More information about CVE can be found at CVE home.

Analysis

While doing recent my Mac OS upgrade, I came across Apple release notes and started reading it. I found there were fixes for several security vulnerabilities. Apple document can be found here. I found following stats specially interesting.

• 149 CVE violations addressed
• 23 anonymous researcher reports
• 5 Australian Government agency reports
• 1 UK Government agency report

An operating system kernel security vulnerability was reported by UK government. Here are the details of that report.

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization

CVE-2017-13818: The UK's National Cyber Security Centre (NCSC)

Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6

The analysis showed that many parties in deed contribute to vulnerability reporting. That is a gift to software developers. It is a community effort in the end. It should motivate the software developers towards fixing the reported issues in timely manner while strengthening the software security of their respective products.

Conclusion

I was amazed to find how other governments and outside researchers are helping premier software like MacOS stay secure by finding security vulnerabilities. Without the help and contribution of others, software itself cannot stay secure. It is a community effort by collaboration and contribution of all parties involved in the development, distribution and consumption of software.