martes, 29 de abril de 2014

Do you trust US-CERT?


 I noticed one article on Reuters that saying "U.S., UK advise avoiding Internet Explorer until bug fixed" by Jim Finkle on April 28.



This article states:

"The Department of Homeland Security's U.S. Computer Emergency Readiness Team said in an advisory released on Monday that the vulnerability in versions 6 to 11 of Internet Explorer could lead to "the complete compromise" of an affected system."

So I checked it source on the "U.S. Computer Emergency Readiness Team" and find it that is was similar to what the article was talking about: 

"Microsoft Internet Explorer Use-After-Free Vulnerability Being Actively Exploited
Original release date: April 28, 2014


US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system.


US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official
update is available.


For more details, please see VU#222929
This product is provided subject to this Notification and this Privacy & Use policy."

Source: U.S. Computer Emergency Readiness Team first release at Google Cache

The address "was" and "is" "http://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being"



But today (April 29) I noticed that the "U.S. Computer Emergency Readiness Team" changed the page of the source making a different kind of statement with the same date (April 28) and without reference to the original one.

"Microsoft Internet Explorer Use-After-Free Vulnerability Guidance
Original release date: April 28, 2014


US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could allow unauthorized remote code execution.


US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser.


For more details, please see VU#222929.


This product is provided subject to this Notification and this Privacy & Use policy."

Source: Actual "U.S. Computer Emergency Readiness Team"
  
Just check the Google Cache against the actual article
UPDATE:  OOPS... the Google cache got updated. I only have the PDF I print from that page
 

What is the problem with this?

The problem is something we call "trust". The U.S. Computer Emergency Readiness Team can make mistakes, but they should not change their website like nothing happened, they should state that it had been a change of mind or that more research showed up different results.

It is possible that the US-CERT was over reacting saying "complete compromise" or "where possible and consider employing an alternative web browser". But to don't hurt their reputation they should write an update to that statement or page saying something like "After checking more documentation about this bug we can update this statement by saying... bla bla bla.", instead of trying to wipe in silence their mistakes.  (if it is a mistake).
  
Can the US-CERT be trusted?