Getting Details on Vulnerability Isn't Always Easy

This was a good news, bad news week for airing security vulnerabilities. One the good news side, we have the U.S. Congress continuing to examine weaknesses and breaches in federal networks. (This isn't your typical political fodder either, more on that below). On the bad news side we heard yesterday about vulnerabilites in the Trusted Computing Platform (TCP) but details are unavailable; a Black Hat presentation on the topic was quashed. Finally, in the "not sure this is good news or bad news" category, we have suggestions of significant vulnerabilities in the Intel Dual Core architecture. We need more details and a proof of concept to know where the issue stands.

Let's start with the good news. The Register finds some Congressmen fuming and this makes the sec info crowd happy:

"It has become clear that the infiltration of federal government networks and the possible theft of exploitation of our information is one of the most critical issues confronting our nation," Rep. James Langevin, D-RI, chairman of the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, said in a written opening statement on Wednesday.
For security experts, the hearings underscore that some parts of the U.S. government - which has given cybersecurity short shrift since the terrorist attacks on September 11, 2001 - are ready to take the security of federal networks more seriously.

"Congress seems to have come alive, and all of us like it," said Marcus Sachs, deputy director of the computer science lab at government contractor SRI International and an incident handler for the SANS Institute. "By holding public hearings, it brings a new light to the facts that might otherwise be buried in reports."

"Brings new light", I like that phrase. We can't fix what we don't know is broken. Not all of us are comfortable counting on the benevolence and sense of responsibility to fix costly problems. Take the case of Nitin and Vipin Kumar reported discovery of vulnerabilities in TCP and BitLocker. We don't have details and probably won't get them anytime soon. Are the vulnerabilities real? If they are, what are the potential consequences? How do we compensate for the vulnerabilities? We don't know. Not much light on this one.

Theo de Raadt, a founder of the OpenBSD project, finds flaws in the Intel Core 2:

These processors are buggy as hell, and some of these bugs don't just cause development/debugging problems, but will *ASSUREDLY* be exploitable from userland code.

Intel isn't worried, some other researchers agree there isn't much of a threat:

Also challenging de Raadt's conclusion was Rodney Thayer, a security researcher with Canola & Jones. While the six errata in de Raadt's post have the ability to harm the inner workings of an OS, they have little implication for security.
"Like usual, Theo's grumbling is never completely guff, but often it has a lot of noise to it," Thayer says. "I'm having a lot of trouble finding signal there."

But de Raadt said he remains concerned. He cautioned that just because Intel has issued a fix or instructions for a work-around doesn't mean they're being pushed out to Core 2 machines, particularly if they're using a less standard OS or are in an embedded device such as a phone switch.

Time for a proof of concept to bring some light to this one.