Oracle's bad faith with security researchers led to publication of a Virtualbox 0-day


#1

Originally published at: https://boingboing.net/2018/11/11/unreliable-oracle.html


#2

I wonder if there are similar exploits that could be used on cloud providers. This would mean jumping into the underlying infrastructure from AWS, Google, Azure. Since that’s your VM, you could run anything you wanted to get access to the host environment.


#3

Well, cloud providers use other forms of virtualization, very often KVM. So, if these systems have similar bugs, such a thing is very possible!

A quick DuckDuckGo yields this apparently fixed bug in KVM, for instance:

https://patchwork.kernel.org/patch/10109603/

VMWare, who also makes very popular (but proprietary, ugh!) virtualization software is in the news with similar problems:

So - yes, absolutely! These are_fixed_ bugs, and your personal data are probably fine if you encrypt your stuff and such and so, but in the long term, be worried.


#4

It’s about a few things; if you try too hard to boil it down to hacker-good-vs-corporate-evil, you end up with a useless wad of sticky goo.

  1. It’s not a binary choice between “tell the vendor” and “post the vulnerability publicly without warning”; a more obvious choice is “sell the vulnerability to VCP”, who will tell the vendor and (eventually) publish the details.

  2. (Unless of course you’re the kind of “researcher” who sells exploits to shadowy zero-day marketplaces where the NSA, mafia and ISIS can bid against each other).

  3. It seems a little naive to assume someone who sells bugs on the “good” marketplaces would never sell exploits on the “bad” marketplaces (for, I am guessing, quite a bit more money). It might be easier to make this distinction if there were a different employment model for legitimate researchers.

  4. Anyway, whether security researchers can trust vendors is a niche issue. The people actually affected by vulnerabilities (i.e. regular users) already have trusted the vendor, and depend on the vendor to fix holes before bad actors can exploit them. Ultimately, those users do need to know whether their trust is misplaced, but as long as they’re still using the product, premature disclosure puts them in a worse position than a delayed patch would have. It really is a balancing act, and you can’t get that balance by siding unequivocally with either vendors or researchers.

That’s not what he says. He has a list of beeves against the general state of infosec (not Oracle specifically); one beef is that vendors take too long to fix bugs, but all the other beeves are about how researchers get paid.

To me, that seems like the real crux of the thing. Ideally, vendors would (1) offer their own bounties (2) on a fixed fee schedule, and (3) commit to a hard timeline for disclosing any bug. This would turn legitimate security research into a steady, non-crime-adjacent job, and if it became common practice, it would make it easier for users to tell good vendors from bad (which would be the incentive for vendors).

Tl;dr: not all “researchers” are the good guys, and whether vendors are the bad guys or not, you can’t have secure products without them. So vendors, collectively, need to sustain an industry of white-hat researchers that they can live with.


#5

Even if you encrypt, I don’t think there is much you can do if a compromised host is looking at your tratfic. And even if you don’t encrypt with keys managed by the provider, you will prrovably use their key vaults to store yours. So that’s a scary thought.


#6

Interesting - because Larry announced at OpenWorld this year that Oracle Cloud was doing more to separate the underlying infrastructure from the virtual environments running on them. So it sounds Like Oracle is thinking the same way you are


#7

This topic was automatically closed after 5 days. New replies are no longer allowed.