You might recall that last month at the CanSecWest security conference, a challenge was offered for anyone to attempt to break into one of two Apple MacBook Pro laptop systems running OS X. Whoever was successful would win the laptop they broke into. As added incentive, TippingPoint (a division of 3Com) offered a $10,000 cash prize for exclusive rights to details of any vulnerability used to break into the OS.

Of course someone did find a way to break into one of the two laptops. Dino Dai Zovi working in tandem with Shane Macaulay exploited a vulnerability (discovered by Dai Zovi) that exists in the combination of Apple QuickTime and Java. The exploit gave them the ability to access a command shell on OS X. As it turns out, the vulnerability also affects Windows platforms, which makes the vulnerability even more dangerous because it affects a much wider base of computer users around the world.

Last week, Gartner spoke out against public vulnerability research in general as well as hacking contests like the one recently held at CanSecWest. Writing in a research brief for Gartner, research vice presidents Rich Mogull and Greg Young stated that, "Public vulnerability research and 'hacking contests' are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements. Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities--which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers."

http://www.gartner.com/DisplayDocument?id=504693&ref=g_sitelink&ref=g_SiteLink

Mogull and Young apparently think that no vulnerability should be known to the public until vendors can first develop a patch. While there is certainly an advantage to that approach, there truly is little if any security offered through that sort of obscurity. It's been shown time and time again that when risks are known by the public, then adequate precautions can be taken either by users or by their solution providers.

Most striking to me is the fact that Mogull and Young overlook a glaring problem in picking the CanSecWest contest as the foundation of their rather weak argument. Dai Zovi didn't know of the vulnerability in advance of the contest. He was contacted by Macaulay from the conference and asked if he could find a way into the OS X system so that they could then split the prize package. Macaulay would get the laptop, and Dai Zovi would get the money. Only then did Dai Zovi go to work to try and find a weakness. Dai Zovi later reportedly said that he was more motivated by the challenge itself rather than the $10,000 cash prize.

Obviously, without the CanSecWest challenge, the QuickTime flaw might not have come to light until a much later date, and it might have been because of some sort of malicious code that exploited the vulnerability and that was unleashed on the unprepared public. We could have all been completely blindsided, and at great expense. So the way I see it, thanks are due to CanSecWest, TippingPoint, Dai Zovi, and Macaulay.

The discovery of this particular vulnerability makes it clear that hacking contests serve a great purpose when they're conducted in a controlled manner with strict guidelines, such as those spelled out by the organizers of CanSecWest as well as TippingPoint.

Furthermore, a mere seven days after the QuickTime vulnerability was discovered, Apple released an update (available at the URL below) that fixes the problem, which demonstrates how a well-run challenge and a lot of press coverage gets bugs fixed really fast.

http://docs.info.apple.com/article.html?artnum=305446