
An overhyped GHOST - sciurus
https://lwn.net/Articles/630866/
======
dsacco
Funny, I wrote a blog post about this as well.[1]

Vulnerabilities do _not_ need PR, especially not on the scale of picking a
sexy name and making a cool logo. I'll repeat what I said in my blog post
here.

Branding vulnerabilities accomplishes two things, both of which are bad for
the security community and the broader tech community:

1\. It implicitly establishes vulnerabilities as severe if they are widely
reported on. Getting media attention does not necessarily mean a vulnerability
is serious. It means you have content that will generate views. I’ve been in
the press twice for vulnerabilities found in widely used web applications –
neither I or anyone who is even remotely familiar with security would claim
that media attention elevates a vulnerability to the same level as Heartbleed.
But the broader public doesn’t know this, and the media capitalizes on it.

2\. It implicitly rates a vulnerability’s severity by how much attention and
“buzz” it generates, not by how severe it is according to an objective scale.
Yes, Heartbleed and Shellshock were severe. Did you know that all the
vulnerabilities that received bounties from The Internet Bug Bounty Program
were also severe? They didn’t receive media attention. They didn’t need to
receive media attention – the normal process of responsible and coordinated
disclosure is enough (and I’m willing to say that for extremely high-severity
cases like Heartbleed, a brand may be warranted – but not for anything less).

Having widespread press attention via a logo and a name is just another noisy
metric that will soon be added to the list of necessities for a vulnerability
to have any credibility. Michal Zalewski and Project Zero find vulnerabilities
on the scale of the so-called "GHOST" weekly. They are resolved without the
need for panic or self-promotion.

This activity, like all fame seeking in the infosec industry, is encouraging a
race to the bottom where people focus on the wrong things to decide is a
vulnerability warrants attention. For every legitimate Heartbleed and
Shellshock, there are the 20 vulnerabilities people try to brand put on the
front page of Hacker News and /r/netsec.

[1]: [http://breakingbits.net/2015/01/27/your-vuln-does-not-
need-a...](http://breakingbits.net/2015/01/27/your-vuln-does-not-need-a-
brand/)

~~~
Natsu
While I can agree about over-hyping things, I've seen a lot of really, really
ancient crap finally getting much-needed upgrades due to some of the hype,
like Debian Lenny, which hasn't had security updates for 3 years now.

Marketing vulnerabilities doesn't really sit well with me, but at least
there's something of a silver lining. More people are actually paying
attention to security and at work I've been helping clue people into better
security practices. The status quo is pretty sad.

Though I grant I've seen some nonsense, too, likely generated by some sort of
hype. For reasons I cannot explain, a lot of people suddenly want to do mutual
auth against any old public CA-issued cert. It's not as if anyone can run
s_client, find all the trusted issuers listed in the ServerHello (and possibly
other random certs, because some people put the whole chain in there), and pay
the CA a few bucks for a cert to auth with.

~~~
nkuttler
Lenny didn't get a security update for ghost. What you're thinking of is the
LTS support effort [1] for a limited set of packages. It is maintained by a
team of volunteers and is not an official project. Libc6 has had a few
security upgrades by the LTS team in 2014. See both squeeze and LTS changelogs
[2] for a comparison. It is important to note that if people still run squeeze
they will NOT have LTS support out of the box, it has to be configured
manually.

[1] [https://wiki.debian.org/LTS](https://wiki.debian.org/LTS)

[2] [http://metadata.ftp-
master.debian.org/changelogs//main/e/egl...](http://metadata.ftp-
master.debian.org/changelogs//main/e/eglibc/eglibc_2.11.3-4_changelog)
[http://metadata.ftp-
master.debian.org/changelogs//main/e/egl...](http://metadata.ftp-
master.debian.org/changelogs//main/e/eglibc/eglibc_2.11.3-4+deb6u4_changelog)

~~~
Natsu
Sorry, I'm not being clear here. I mean they were upgrading the OS to
something newer, I'm not saying that Debian is (or should be) updating Lenny.

That aside, it seems like you can use the squeeze-lts packages on Lenny.

------
vezzy-fnord
What's more frustrating is that after the disclosure of Heartbleed, a lot of
commentators have been talking about how it demonstrates a colossal blow on
free software in general, and that it is now horribly insecure.

Of course, anyone who is subscribed to a relevant mailing list knows that
security bugs are discovered constantly, are promptly addressed and most never
see much grace beyond being buried in the archives of some taxonomy.

All these marketing campaigns that are about making infomercials out of
security vulnerabilities backfire by causing panic, exacerbating ignorance and
creating talking points for uninformed pundits ("But Heartbleed this,
Shellshock that..."), and I'd wager they skew the infosec community even
further towards self-promotion and ephemerality.

------
yuhong
As an example, there recently has been a publicly disclosed IE11 zero day that
allows universal XSS that IMO is more severe and easier to exploit than GHOST.

~~~
pauldino
This one, I'm guessing, which sounds pretty bad:
[http://seclists.org/fulldisclosure/2015/Feb/0](http://seclists.org/fulldisclosure/2015/Feb/0)

Apparently Microsoft was notified in October but it's still not patched.

------
wyck
Wait a minute..backup, you can hire a PR firm for a bug report. WTF.

~~~
dijit
you can hire a PR firm for anything, a bug, yourself, a dog.. anything.

the main reason people engage PR firms is to strengthen their brand or to
attain money/reputation somehow.

which is what Qualys was doing.

------
wglb
For a contrary, and I think, more informed opinion, see
[http://www.kalzumeus.com/2014/04/09/what-heartbleed-can-
teac...](http://www.kalzumeus.com/2014/04/09/what-heartbleed-can-teach-the-
oss-community-about-marketing/)

------
digital-rubber
Everything is overhyped; including this very website.

------
mentat
PR is absolutely essential for a major vulnerability. They are events that
affect real people's lives.

~~~
dmix
But then it becomes a shouting match and many critical bugs not backed by
companies looking to profit from them go without notice.

Such as the ASLR/PIE bypass in the Linux kernel on Jan 9, 2015 which never had
a brand name:

[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-95...](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9585)

Or the critical Firefox media plugin sandbox escape from Jan 13, 2015:

[https://www.mozilla.org/en-
US/security/advisories/mfsa2015-0...](https://www.mozilla.org/en-
US/security/advisories/mfsa2015-07/)

Not to mention the other countless flash exploits that come out each year
allowing drive-bys to happen.

This seems to be a communication problem, for example most platforms don't
have systems to automatically notify us based on which software we use.
Relying on marketing/branding for bugs to reach us seem highly inefficient,
considering we're in the business of software.

~~~
tedunangst
What makes the firefox sandbox escape "critical"? It requires at least one
other, unknown bug to exploit. Seems like a pretty run of the mill issue that
will get fixed in the next Firefox update. The fact that most Firefox users
won't ever know about it doesn't matter.

~~~
dmix
I mostly agree with you here, most browsers would take multiple exploits
combined together to be effective. And the update process is fairly rapid with
Firefox these days - especially compared to glibc and (often) Linux kernel
rollouts. So this would exclude the script-kiddies unlike Heartbleed which was
quite accessible to newbs who could use a single PoC.

Browser sandbox escapes are less common than higher level bugs so they have
some FUD-appeal. But my point isn't to say that these are worse than any other
bugs, or more exploitable for that matter. Merely that they are similarly bad
but not as well covered. Both are definitely in the same class as Shellshock
or Ghost.

I'm not saying particularly bad ones aren't in need of special attention,
merely that playing the branding game as a security strategy is mostly non-
productive when countless relatively unknown me-too's exist at all times.

