[Ekaros]

I kinda hate doing things this way...

Could it be better not to just come out with somewhat alarmist take that hey we are going to release high risk vulnerability in week... And fixes to that...

But instead just release new version and CVE at same time? Now is everyone trying to get ready to exploit this on 11th, or already getting most out of it if they know? And does this information really make anyone to hover their finger on button to push new versions and so on on 11th?

[crote]

No.

At the moment, there is (most likely) no exploit available in the wild. A fix for the vulnerability is basically going to be the blueprint for an exploit. This means an exploit is pretty much guaranteed to start circulating within hours of the vulnerability & fix being released.

A fix cannot immediately be applied to billions of machines. It takes time for distros to port the fixes and backport it to all the versions they still support, it takes time for admins to notice the vulnerability at all, and it takes time to schedule a support window and apply the fix to all your machines. From initial disclosure until significant numbers have been patched can easily take days - or even weeks. During that time, people will be actively exploiting the vulnerability.

On the other hand, by giving a pre-warning to the general public and coordinating the fix with distro maintainers in a closed mailing list, anyone who even remotely cares will be scheduling maintenance windows right when the deadline expires - and patches will be ready for immediate use. This significantly reduces the amount of time the vulnerability will be public without a patch being available for the general population.

It's of course a different story when it is a zero-day actively actively exploited in the wild already, but that doesn't seem to be the case here.

[RcouF1uZ4gsC]

> On the other hand, by giving a pre-warning to the general public and coordinating the fix with distro maintainers in a closed mailing list, anyone who even remotely cares will be scheduling maintenance windows right when the deadline expires - and patches will be ready for immediate use.

It seems that one of the most productive positions for an intelligence agency to infiltrate is a distro maintainer. They don’t ever have to do anything suspicious, just do a great job maintaining the distro and just give access to the intelligence agency of all these vulnerabilities under embargo.

[eigenvalue]

I had the same thought. I bet the NSA has a dossier on every single one of these people around the world. If they don’t, then they should!

[SheinhardtWigCo]

Or infiltrate the telecom company and read all of the mailing lists. :)

[Cyphase]

(The details of the following depend on the nature of the flaw/exploit.)

I think a pre-announcement gives much more advantage to the population of defenders than to the population of attackers.

Attackers can move faster than most defenders, and they only need to find one weak link. Also there are a lot more defenders with various states of readiness, and only one attacker with the resources to spray the internet with the exploit needs to find it in order for there to already be a big problem.

How much faster will attackers be able to do anything because they know it's coming? Mostly only as long as it would have taken them to hear about it.

How much faster will defenders be able to do anything because they know it's coming? They can spend the next week making a list of things that need to be done and places that they'll need to deploy updates, so that when it's available they can act immediately and efficiently.

The risk that attackers will suddenly find the flaw after years because they were told "there's a flaw in cURL" seems low.

There is a risk that the details leak to attackers in advance of the release.

[rrdharan]

Agree with everything you said except possibly:

> The risk that attackers will suddenly find the flaw after years because they were told "there's a flaw in cURL" seems low.

I’m not so sure about that. Still understand why they’re handling it this way but this is bait like a big red bullseye or rainbow with a pot of gold at the bottom …

[lijok]

We're right in the middle of a 2 week sprint to try and release our product.

Had this notice not been made, on Wednesday all sprint work would of been forced to come to a screeching halt to deal with this.

Now we have a week to notify internal stakeholders and plan accordingly.

This is exactly how it should be done.

[hardware2win]

I think current way is better

This way admins and ppl can prepare.

If you release fix and cve at the same time then race between bad actors and ppl starts

[rowanG077]

And now the race has started with admins not being able to do anything. Anyone that knows of this vulnerability has enough time for a last hurray to exploit it as much as possible.

[Palmik]

To anyone that knows what the vulnerability is, this announcement does not bring any new information.

[tsimionescu]

I suppose it's theoretically possible someone was hoarding this as a zero-day and may decide to more actively exploit it before it gets patched. Except of course that they don't know which precise vulnerability it is.

[Ekaros]

Also what I consider is that who has insider access and how does that information leak... This fix must be known at least some members of curl developers. Will they leak it or not? Or anyone who receive it early...

[rowanG077]

It most definitely does. You know it's going to be patched. You no longer have to tiptoe around to conceal the problem. This can be the difference between snooping a bit of data here and there and just straight up dumping the contents of entire servers.

Of course this depends on the vulnerability itself. But knowing a vulnerability will be patched can be hugely interesting and worthwhile information

[tsimionescu]

Except of course they don't know what vulnerability is getting patched. So, they might actually end up revealing a different vulnerability.

[rowanG077]

Of course. It's a risk that could easily be worth it depending on the actor and vulnerability

[bayindirh]

I don't agree. As an admin I can cordon off systems which might be exploited until the fix is released. If there's nothing to exploit, how can you exploit it?

[rowanG077]

Sure you can. Do you think slack can? Google can just down their entire fleet? Servers are an essential part of the world functioning. Curl is such a foundational library it's almost sure to be used in a large of part of existing servers.

[taf2]

I mean i did just put it on the calendar with a note to update and deploy... so yeah kinda a digital finger ready to push the button as a result of this post...

[croes]

This only works for curl itself. But how many programs use curl or libcurl and bow many of those won't get an update?

It's good to know beforehand to check which software in your stack will be affected so you can take precautions if those don't get an update fast enough.

[Uptrenda]

It really is insane how much you have to tip toe around tech circles just to say anything that isn't part of the colloquial circle jerk.

What you're saying is the approach any competent software company takes to managing vulnerabilities. There's zero reason to write a prior notice that there's a flaw because it would cause panic and allow opportunities to exploit the flaw (((before there's a fix.))) This is the whole premise around 'responsible disclosure' and why every company wants security researchers to abide by it.

The only logical conclusion I can draw here is curls notice is not responsible.

[hsbauauvhabzb]

Security engineer here and for context I manage a very small amount of servers that don’t really matter too much. Having the notice means that I see it on HN before i need to patch - that’s massively handy.

I don’t want to run updates on cron because I feel the risks may outweigh the benefits in some cases, if this extends to other implementations (php curl, etc) then I doubt vuln scanners would pick it up.

Not every company has infinite resources, and security notices are a firehouse.

Sure this gives bad actors more of a chance to tee up staff to hit this thing, but it helps the competent but under resourced blue teamers a chance too.

Edit: I upvoted you btw and would encourage others to consider this also. I think your opinion is a valid perspective and conversation provoking which iirc is the point of votes - I’d rather not see HN fall into an echo chamber hive-mind, if it’s not already too late.

[xign]

I don't think the comment above you is a valid perspective considering that it does not appear to be a 0-day vulnerability and there is no evidence of it being used in the wild. The information he provided is IMO not enough to craft an exploit out of. Yes, now there is a giant bullseye on cURL and maybe the bad guys will start looking hard at it, but cURL has always been a widely distributed software that needs to interact with the unsafe world (the internet), so I would imagine attackers have been looking at it for a while already. So far he hasn't revealed critical information such as when the vulnerability was introduced and exactly what area it affects, which would have helped a potential attacker narrow down the scope.

So I think it's just fear mongering to say suddenly people will craft exploits because of this notice. Like, if they are so good at finding the exploit then they probably would have found it a long time ago already given the lack of useful intel here.

[tsimionescu]

Actually, the approach taken by curl is the best of all worlds: they give minimal information to attackers ("there is a bug"), and they maximize the amount of people that know a critical fix will be required, with a specific date for when the fix will be there.

The more traditional way of releasing the fix and the detailed description of the vulnerability at the same time is strictly worse. It's a very slight improvement for people who monitor these news (attackers don't get to find out there is some issue they could look for), but at a massive cost to those who don't monitor these news as often (attackers know exactly how and what to exploit before they find out).