I am starting to understand why Jon Gruber got so infuriated with Brian Krebs over at SecurityFix. Generally, I think Krebs’ reporting is no better or worse than anyone else trying to present readable yet accurate coverage of security issues that may affect the average user.
However, this post irked me within the very first paragraph.
The vulnerability he’s reporting on came out of the Month of Kernel Bugs project:
At the beginning of the month, a security researcher known only as LMH started the project to highlight unpatched flaws that are so severe that malicious attackers could use them to completely subvert the security of vulnerable computers.
LMH: The Month of Kernel Bugs aims to demonstrate the current state of kernel code in the different operating systems available today, from a security/quality perspective.
Yes, they are researching security issues, among other things, but these guys are kernel hackers, not attackers. A milder rebuke may be warranted, around the ethical issues of how their research may be used by others, but to immediately jump to the conclusion that LMH and his collaborators are trying to “completely subvert the security of vulnerable computers” is soft thinking, at best, and fear mongering, at worst.
The crux of what I object to in Krebs’ write up, though, is this particular logical contortion:
I used Safari to click on the file indicated that the exploit had indeed resulted in a “kernel panic,” which in most cases means that if someone wanted to use the exploit to install malicious code, they could do so regardless of the security settings or precautions already present on the machine.
Yes, a kernel panel could be the result of a flaw that leads to code execution. In this particular case, the flaw does indeed appear exploitable in this manner. But Krebs’ wording makes it seem like any and every time you see the restart message indicating a kernel panic, hordes of ninja hackers are running all sorts of vile code on your box when this is not necessarily the case.
He also sets the problem up as if the corrupted DMG that LMH provides as a demonstration results in code execution, in other words that there is a real and manifest exploit loose in the wild. I don’t see anything in the bug posting to indicate this is the case. Yes, memory corruption is a known venue for arbitrary code execution, but demonstrating the memory corruption is not the same as having a full blown exploit that users need to take direct action to prevent.
I also think it is irresponsible of him not to at least attempt to suggest a workaround or remedy, especially when the bug report itself does so–disable the option in Safari’s preferences that automatically opens files. About the only issue he gets right, and he’s quoting someone else, is that the fact that file system mounting is normally a privileged operation means any flaws in this code can take advantage of privilege escalation to which other purely user space applications do not ordinarily have access.
Look, I understand that many feel stirring the pot, a la Dvorak, is a sure fire recipe for page hits, but in the case of security reporting, I strongly feel accuracy of reporting is more important than anything else.