News has spread pretty quickly about the latest IE 0-day exploit. Unfortunately, in trying to publicize the quality of his employer’s product in relation to this new exploit, according to Ryan Naraine, a researcher at McAfee inadvertently divulged too much information about the vulnerability leading to some unintended consequences.
The consequences were – the prompt creation of a PoC Metasploit module for the vulnerability, turning what was once an exploit used in targeted attacks into a potentially widespread issue for users IE 6 and 7.
What exactly was divulged? Well, I was curious too, as I frequently am faced with what information I should or should not mention. It turns out that all that was divulged was a list of file names involved with the exploit and malware dropped by the exploit, and the domain name that the malware connected to.
It seems pretty reasonable to list that information in a blog post, right? Surely someone writing IDS signatures would find the URL used by the malware useful, and other anti-virus researchers might gain benefit from knowing the file names associated with the attack.
This leads to the question then, exactly what can be safely disclosed? Should nothing be disclosed? As a technical individual I get frustrated when an author redacts all important information in regards to indentifying a threat; the McAfee researcher was obviously trying to keep people like myself interested.
My suggestion for researchers writing about live threats is simple. If the domain(s) hosting un-patched exploits are still active, don’t post the URL or filenames associated with the exploit: frequently Google will happily locate the page for you.
Does this mean researchers shouldn’t share key information about live threats? Of course not, we do it all the time. But not in public – there are plenty of secure methods for sharing details about live threats.