Opinion: The irresponsible silence of manufacturers must come to an end

It has become common practice for manufacturers to routinely state in their advisories whether, to their knowledge, a vulnerability is already being exploited. This is a step forward compared to the past, when manufacturers preferred to play down – "We are not aware of any attempts to exploit the vulnerability" – and preferred to keep existing knowledge about specific incidents to themselves. Then one could only speculate that the lack of reassuring words was an indication that there might be more going on and that the patch should therefore perhaps be given higher priority.

Ein Kommentar von Jürgen Schmidt

Jürgen Schmidt - aka ju - ist Leiter von heise Security und Senior Fellow Security des Heise-Verlags. Von Haus aus Diplom-Physiker, arbeitet er seit über 25 Jahren bei Heise und interessiert sich auch für die Bereiche Netzwerke, Linux und Open Source. Sein aktuelles Projekt ist heise Security Pro für Sicherheitsverantwortliche in Unternehmen und Organisationen.

• heise Security Pro

At least in this respect, manufacturers' communication about their security vulnerabilities has improved. At the August patchday, for example, Microsoft openly admitted that six of the ten zero-day gaps were already being actively exploited (the existence of the gap in the remaining four 0days was publicly known before the patch, but no attacks had been observed to date). The gap behind the Edge patch at the weekend has also been the target of attacks for days. Anyone using the corresponding product may therefore have already been attacked before the patches were made available and may now have backdoors and attackers in their systems.

The search for backdoors

And what now? Patching is generally not enough to get rid of them, as the admins at Düsseldorf University Hospital, for example, had to painfully discover. Although they had patched their Citrix VPN gateways against #Shitrix, they were still visited by a ransomware gang shortly afterwards via the previously installed backdoor. In cases where a gap is already being exploited, it is essential to check thoroughly whether you may already be affected.

An opinion by Jürgen Schmidt

Jürgen Schmidt – aka ju – is head of heise Security and Senior Fellow Security at Heise-Verlag. A physicist by training, he has worked at Heise for over 25 years and is also interested in networks, Linux and open source. His current project is heise Security Pro for security managers in companies and organizations.

• heise Security Pro

But how? Microsoft generally does not provide any additional information about known incidents. And many manufacturers are following their bad example. Every little shred of information would already help the defenders. Starting with the number of known cases, any similarities such as countries or sectors and, above all, the relevant time period. Even better, of course, would be concrete information such as error messages produced by an exploit or indicators of compromise in the form of IP addresses or file hashes to look out for. Without such additional data points, it is impossible to make sense of the bare information about attacks that have already taken place.

Not an extra, but a free service

To make this clearer once again: This additional information on vulnerabilities that have already been actively exploited are not "nice to haves", not nice three-dollar gifts, but essential for the professional and responsible handling of vulnerabilities. And security vulnerabilities, especially those that are actively exploited, are also not "business as usual", but still a #fail in every single case, which was only made possible by an error on the part of the manufacturer. The manufacturer should therefore make every effort to help the affected customers in the best possible way. We should therefore not allow ourselves to be fobbed off with this meaningless checkbox information, but remind manufacturers of their responsibility time and again.

Incidentally, it would also be extremely dubious to only provide this for additional fees, for example for an extra product with "threat intelligence". Manufacturers should leave the "it would be a shame if something were to happen to your IT" ploy to the protection money industry. This additional information on active attacks must be available to all customers free of charge. Provided it is available, of course. If the manufacturer itself has no concrete information on the attacks, which can happen, it should also say so and refer to further, external sources. And, if possible, then improve its infrastructure so that affected customers can send it such helpful information in future.

A little look behind the scenes: In our vulnerability reports on heise security, we will increasingly criticize these omissions and explicitly point out when a manufacturer fails to meet its obligation to provide customers with the necessary information on vulnerabilities that have already been exploited. Not just Microsoft, of course, but any manufacturer that leaves us all out in the cold like this. Perhaps one or two readers will ask their service contact for such information or complain about the lack of it. Because only together can we get things moving.

(ju)