Public Awareness of Zero-Day Issues

On 29th January, Cisco released a patch to correct a vulnerability within the SSL functionality in the Cisco Adaptive Security Appliance Software (ASA) which affects a number of their products. This vulnerability allowed an attacker to send multiple XML packets to a webvpn configured interface on the affected system which could then execute arbitrary code, giving the attacker full control of the system. A Cisco security team member stated that the organisation was not aware of any active exploits of the vulnerability.

As stated above, Cisco has released a patch however, it is only available to clients who have a current maintenance contract with them. Those clients who don’t have a contract will have to contact Cisco’s Technical Assistance Center (TAC), which is not renowned for its speedy service.

There has been a number of articles written regarding this patch release and it is not my intention to add to the issue that has been resolved, with the resolution being easy to find via the internet.

However, what I would like to do is to comment on the stance that Cisco and a number of other organisations take when dealing with companies that have purchased their products.

One such client left a comment on one such website stating “It is a fricken protection racket. Customers need to pay exorbitant fees for Cisco Smart Net in order to protect themselves from.... Cisco mistakes.”  - the level of frustration is apparent. The general consensus is simply that it is OK for a company to charge for telephone support and feature packs but not for patches to fix what is essentially a fault of the supplier’s own making, i.e. vulnerabilities.

I also am concerned with regards to the time it takes for organisations such as Cisco to inform their clients about the vulnerabilities. Yes, there are zero-day vulnerabilities which come to light and they do work speedily to resolve the problem. However, when I see carefully worded press releases which use phrases such as in the Cisco release, “As soon as Cisco learned that there was potential public awareness of the issue, we immediately published a security advisory to inform customers what it is…” brings me to wonder just exactly how long Cisco (and other organisations using similar language) were aware of the vulnerability prior to informing their client base. The reason for my concern is the phrase ‘…learned there was potential public awareness…’ or to put it another way, when the cat was out of the bag!

There is no mention of how long the vulnerability has existed, is it since the previous patch, the one before or from the creation of the software? How long have they known of the vulnerability? They must have been aware of it for some time as they announced it at the same time as they released the patch.

In security terms this can make sense; after all, if you make it known there is a vulnerability and don’t yet have a patch for it you are potentially informing those that may wish to produce an exploit. Again though, suppliers could make use of NDRs to assist with circumventing that.

So which approach is right? Should suppliers inform their clients immediately on discovering a vulnerability or should they wait until they either have a patch or it has become public knowledge?

I’m on the fence with this one I have to admit as I can see the logic in both approaches but I do honestly believe that when a client registers they have purchased a product and a vulnerability is discovered, they should be sent the patch free of charge and not require a support contract.