When Amazon Web Services, Rackspace and IBM all reboot their clouds, or at least some of the virtualised servers within it, in the space of a few days then you know the collective global IT security eyebrow will raise.
Initially, that eyebrow arched to form a point that was clearly indicating the direction of the Bash/Shellshock revelations. However, we now know it was prompted by a vulnerability within the Xen hypervisor, which is extensively used within the cloud sphere.
A patch was quickly rolled out to customers on a 'predisclosure list,' which effectively requires them to be party to a Non-Disclosure Agreement regarding the nature of the vulnerability.
The 'XSA-108' vulnerability, to give the flaw its cool and snazzy official name (irony alert, irony alert), was caused by a bug in the emulation code used when running HVM guests on x86 processors.
The bug lets an attacker with elevated guest OS privileges crash the host or to read up to three KiB of random memory that might not be assigned to the guest, according to the official advisory, which added "the memory could contain confidential information if it is assigned to a different guest or the hypervisor."
So far, so meh. I mean who really cares? It's just yet another vulnerability that has been caught and patched, something that sadly happens all the time. It's part of the software development circle of life, and as long as those bugs are spotted and squished efficiently and responsibly then all is well. Right?
Well, you'd think so, but here's the thing: responsible disclosure is a bitch. Off all the things that need to be done right when working with IT security, disclosure sits right at the top of a very shaky tree that threatens to topple over at the smallest gust of bad press and crush the reputation of whoever sits beneath it.
In the case of the Xen hypervisor problem, a patch was pretty quickly rolled out but only to those customers on a 'predisclosure list,' which effectively requires them to be party to a Non-Disclosure Agreement regarding the nature of the vulnerability.
In my view, this perfectly meets both the efficient and responsible requirements of disclosure. The patch itself was developed and made available as quickly as possible, and steps were taken to mitigate the window of opportunity opening that might allow the bad guys to exploit the vulnerability before that patch was applied. Yet still I hear complaints this was a case of private disclosure, and only by operating in public with 100 per cent transparency can the world be a safer place. What hogwash!
I understand there is some disquiet, shall we say, concerning the fact IBM SoftLayer took a few days longer than Amazon Web Services or Rackspace to apply the patch and reboot. This despite all being on the same Xen pre-disclosure list. The argument being if the vulnerability was publicly disclosed immediately then users of those services could have demanded an equally immediate response. Once again, hogwash!
If a vendor or supplier delays informing customers of the need to patch, then that's not a good thing and I'm not defending it. I am, however, defending Xen in this case as I think it did act responsibly by not disclosing the vulnerability until a patch was rolled out and deployed.
I am a huge transparency evangelist, but it has to be tempered by some real-world conditions that prevent the bad guys from being able to exploit vulnerabilities before a patch can be deployed.
The Xen security response document highlights this in some detail when dealing with a vulnerability that is not already in the public domain. Oh, and don't start rounding on me for being hypocritical here.
Regular readers of my output across the Dennis stable know I am very much in favour of responsible disclosure, and have argued for zero-day disclosure models to be adopted on more than one occasion.
However, the zero-day disclosure argument applies to breaches where customers need to be informed immediately to mitigate further knock-on data damage. What I'm talking about here is specifically vulnerability disclosure, and this comes with a need to heed the warning against speed as the only metric of responsibility.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Put AI to work for IT operationswhitepaper Reduce the cost and complexity of managing hybrid applications
-
AI in the retail industry is spreading beyond the IT departmentNews AI has become a strategic imperative for retailers, delivering marked productivity gains
-
Maximizing contact center operations with generative AI assistants backed by responsible AI principleswhitepaper Reduce the cost and complexity of managing hybrid applications
-
IBM just launched powerful new open source AI models – here’s what you need to knowNews Available under the Apache 2.0 license, IBM's Granite 3.0 models are trained on enterprise data and can out-perform the competition
-
Achieving business outcomes with generative AIWebinar Take your hybrid cloud journey to the next level with generative AI
-
Wimbledon’s new Catch Me Up AI feature promises to keep fans up to date at the tournament – after it irons out some of the wrinklesNews The latest feature to come out of IBM’s partnership with Wimbledon will keep fans engaged from the early stages right through to the final with dynamic player insights
-
AI demands new ways of data managementwhitepaper The data leader’s guide for how to leverage the right databases for applications, analytics and generative AI
-
AI governance for responsible transparent and explainable AI workflowswhitepaper Build greater trust in your AI
