In the debate over "responsible disclosure," advocates for corporate power say that companies have to be able to decide who can reveal defects in their products and under which circumstances, lest bad actors reveal their bugs without giving them time to create and promulgate a patch.
But over and over again, this theory of corporate responsibility and security researcher intransigence falls apart. The reality is that the kinds of security researchers who want to report bugs (rather than using them to attack people) are primarily interested in improving security, and corporations that offer good-faith promises (and live up to them) can easily tempt researchers into coordinating their disclosures. When corporations threaten researchers or fail to act on their warnings, the result isn't silence — it's uncoordinated disclosure, when a security researcher simply publishes their findings without warning the company first.
The latest example of this is Sergey Zelenyuk's publication of a "100% reliable" exploit against Virtualbox, Oracle's popular virtual machine software. The exploit allows attackers to puncture the virtual machine's sandbox and access the underlying system's files and processes.
Zelenyuk published the zero-day bug because of Oracle's long history of mistreatment of security researchers (including threatening customers with legal retaliation if they hire auditors to examine the software Oracle sold them), and its cavalier handling of bugs, including a 15-month lag between learning of a similar bug and issuing a patch.
It's a sobering reminder that the "responsible disclosure" debate isn't about under which circumstances researchers can go public; it's about whether they choose to trust a company before going public. Some people have tried to shift the debate by criminalizing disclosure without corporate approval, but in those circumstances, we see even less coordination: it's becoming increasingly common for security researchers who fear retaliation to anonymously post their findings to pastebin and similar sites.
The vulnerability has security researchers panicking because VirtualBox is one of the most popular VM applications used for day-to-day malware analysis and reverse engineering.
Many have expressed concerns that malware authors may embed the zero-day's exploit chain inside malware strains that will then be able to escape VirtualBox VMs and infect the researcher's main operating systems with malware, as payback.
Today's zero-day disclosure is also the second virtual machine escape that Zelenyuk has discovered affecting VirtualBox. He found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix.
VirtualBox zero-day published by disgruntled researcher [Catalin Cimpanu/Zdnet]