In general, what is your take on the full disclosure of vulnerabilities? Should the vendors have the final responsibility?
This is a hard one for me, as I don't have direct experience of working on the vendor side. However, software should be a product like any other, and I think the seller of any product ultimately has the responsibility to make sure its fit for purpose. Most software companies understand that perfectly nowadays and big strides have been made in recent years.
When commenting your research you said: "The open source nature of Linux made the attacks easier". Does that necessarily mean that closed source is better than open source when it comes to security?
No, not at all! The open source nature of the IPsec implementation we looked at certainly made it easier for us to experiment and to do work on paper before committing to coding. But the attacks we found were not your usual buffer overflows: they required us to build up a detailed understanding of how the Linux IPsec implementation interacted with the IP stack, for example, as well as doing some sophisticated bit manipulations on packets to get the effects we wanted. So our attacks really say very little about the "closed-source versus open-source" debate, which so often focuses only on the number of exploitable buffer overflows and other "standard" vulerabilities that exist in software.
In fact, our work says more about the complexity of the IETF RFCs and how hard it is for a small team to write an implementation that gets absolutely everything right, from the low-level crypto to the implementation of IPsec policy processing.
Are you satisfied with how Microsoft is tackling the problems in their software with monthly patch releases? Some argue that a premium service that releases the patches as they are ready should be in place for large customers. Should they do more?
One problem they do have is that their patches get reversed engineered on a regular basis, and then tools to exploit the vulnerabilway appear quite soon after.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.