McAfee Chides TippingPoint In QuickTime Vulnerability Disclosure

At the CanSecWest conference in Vancouver, B.C., last month, security researcher Dino Dai Zovi won a "hacking contest" by creating a QuickTime exploit and using it to take over a MacBook laptop. Zovi won the MacBook for his efforts and received a $10,000 bounty from TippingPoint's Zero Day Initiative, a controversial program that offers cash rewards to security researchers in return for exploit code.

In a blog post, Rahul Kashyap, a vulnerability researcher at McAfee, called out TippingPoint for paying the bounty and not giving Apple a chance to fix the bug before its regular patch release.

"Wow! It is rather ironic that a security company, who presumably wants to protect customers, will first put everyone to risk, not notify the vendor on time, and then release signatures!" Kashyap wrote in the blog post.

"The antivirus community, long the target of (bogus) claims that they write viruses to make money, wouldn't touch a contest like this with a barge-pole," Kashyap added.

Apple issued a patch for the vulnerability about a week after being notified by the Zero Day Initiative.

Terri Forslof, security response manager at TippingPoint's Digital Vaccine Labs, said the idea behind the bounty was to dispel the rumors and speculation that typically accompany any discussion about how much a security vulnerability is worth.

"We don't advertise our prices. We could have said, 'We'll buy the vulnerability,' but the first question would have been, 'How much is it worth?' " Forslof said.

There's an inherent risk that can be associated with programs like the Zero Day Initiative, said Craig Schmugar, virus research manager with McAfee's Antivirus Emergency Response Team.

Given the attention that Zovi's QuickTime bug has received, hackers are more likely to reverse-engineer Apple's patch, which could soon lead to exploit code appearing in the wild, according to Schmugar.

"Discovery, disclosure and patching [of vulnerabilities] affect everyone on the Internet," Schmugar said.

Roger Thompson, chief technical officer at Exploit Prevention Labs, based in New Kingstown, Pa., said when it comes to exploit code, the more that's discovered, disclosed and patched, the better, which means fears of reverse-engineering shouldn't factor into equation.

"When Microsoft patches every month, the potential exists for people to reverse the patches, but that's hardly an argument that Microsoft shouldn't patch," Thompson said.