[naz]

If the bug were responsibly disclosed to Microsoft, there'd be no proof of concept in the wild, available for anyone to integrate into their ransomware.

Instead, intelligence agencies irresponsibly hold onto them. And so they get leaked at best, or at worst end up in the wrong hands.

[robhu]

It sounds as if your argument is a variant on 'security by obscurity', here hoping that malware creators don't reverse engineer bug fixes (they do).

As bug fixes are reverse engineered, in your example, the malware could be created just as it was, and the patches had been out for months and the affected machines had not been patched, so again -- what difference would it have made?

[phlo]

Sometimes, a bit of obscurity will improve security. To get something like WannaCry to work from a security patch, you'd have to do the following:

  1. Analyze the update, determining what parts of the system it changes
  2. Analyze how the system behaved before the update (i.e. find the vulnerability)
  3. Find suitable parameters for the vulnerability to reliably work
  4. Build a proof of concept exploit
  5. Integrate it into your ransomware

Getting a working proof of concept from a leak saves you 4 out of 5 steps. If you are a financially motivated cyber criminal (and if you are distributing ransomware, you are), that can mean the difference between a waste of your time and a juicy return on investment.

[willstrafach]

Slippery slope though, tools like Metasploit are extremely important for security auditing and are generally regarded as a good thing for that reason, but your logic would apply to it as well.

[phlo]

Metasploit is a bit like a knife. You can use it to chop vegetables or stab people, and depending on who wields it, and in what circumstances, either of the outcomes is more likely.

I'm not arguing against the development on Metasploit though, and neither do I want to make an argument against vulnerability research. Every time Tavis Ormandy takes a shower, an AV vendor runs for cover; and on Christmas each year, Karsten Nohl cancels the vacations for some legacy system developers. That's a good thing, because those guys report their findings. They push vendors to fix the vulnerabilities, and they improve the security of systems we all depend on, every day.

Governments should do the same thing. I am all in favor of investing more in vulnerability research, but we need a process of disclosure. Stockpiling vulnerabilities puts everyone at risk, with little benefits.

Circling back to Metasploit: Yes, it makes work easier for cybercriminals. But even just the knowledge that a vulnerability will be available as a module quickly may be enough to make some vendors think twice about not reacting to a disclosure email, whether it's from Project Zero, independent researchers, or (hopefully more often) government CERTs.

[wfunction]

Wait, so when it's your (side's) turn, you(r side) start(s) claiming "vulnerabilities can be independently discovered", but when it's my (side's) turn, your argument is "but there'd be no proof of concept"?

So are you arguing people going to discover these independently anyway, or not? Pick one and stick with it. You can't have it both ways...