Share this
A Warning Tale on IT Security Reporting
by Reflare Research Team on Oct 16, 2022 7:53:00 AM
Well-intentioned media organisations push hard to break stories in real-time, but at what cost? Inaccurate reporting, insufficient context, and no quality control often lead to misinformation and outright confusion.
First Published 30th July 2019 | Latest Refresh 16th October 2022
All the IT security news that’s fit to print, or burn.
4 min read | Reflare Research Team
The Mistrust of the Media
Some time back, we watched many media outlets - from small personal blogs to top 5 players in IT reporting - publish articles on a supposedly critical flaw in the popular VLC media player. Users were urged to go as far as to uninstall VLC immediately.
Since this brief is an embarrassing matter that affects many otherwise reputable sources, we will refrain from linking to any specific article since any selection we could make would unfairly punish those selected over the literally hundreds of others we don’t mention. In this briefing, we will take a look at the bug in question, why official risk reports have to be read with some care, and why you should never trust any news blindly - even if it is echoed across hundreds of sites.
What happened?
One quiet Wednesday afternoon in July 2019, a bug was reported to the VLC project. Such a report is a very common occurrence, however the report indicated that the bug may allow an attacker to execute arbitrary code, thereby making it more dangerous than other bugs. The team responded to the report within a few hours but struggled to reproduce the issue, which does happen quite often. Complex software relies on a myriad of other libraries and system services, which in turn makes some bugs extremely hard to reproduce on a different computer.
Based on this information, the team decided to investigate the bug but not rush the process. After all, a bug that cannot be reliably reproduced even by people trying to reproduce it is very unlikely to be weaponized by attackers. The risk of failure would be simply too high.
Why the panic?
Many countries have agencies that issue risk reports for newly discovered software bugs. These reports are largely automated and aim to help large enterprises and government organisations keep their IT infrastructure secure.
Such reports are both read by humans and automatically processed by software. Around two weeks later - meaning two weeks after the initial report - several such agencies published advisories on the bug that rated it as critical. The biggest among them was the United State’s NIST and Germany’s CERT.
So surely, if these large and reputable agencies rate the bug as critical, then the reaction must have been adequate? Not so fast. The agencies rating the vulnerabilities have the goal of erring on the side of safety. The reports they create are meant to be read by professionals with the ability to accurately judge the substance of the report and the potential impact on a given system. This means that bugs with no or very little available information are routinely marked as “critical”. Since no information exists, the worst case cannot be ruled out. Therefore the bug is preliminarily assumed to be critical.
Subsequently, experts looking at the report will notice the reasoning and lack of details and act accordingly.
Since the bug was reported to be triggered by a .mkv video file, an appropriate reaction would have been to not open unknown .mkv files until further notice. Other video files - let alone the player just being installed - presented no threat.
A Panic Cascade
Unfortunately, the shortage of information security talent is not limited to the primary workforce but also extends into reporting. With the demand for IT security news increasing by the day, less and less qualified writers are put in charge of writing about more and more complex topics. This seems to be exactly what happened in this case.
"Immediately uninstall VLC?!?"
Someone unfamiliar with the operations of NIST, CERT and others who read the preliminary vulnerability report and jumped to the conclusion that the word “critical” in a report about a popular consumer-level video player was a big deal. Said writer (and those following him/her) either didn’t bother to check or didn’t have the technical skill to understand that the scope of the vulnerability was extremely limited.
Once the first couple of articles were published, other news sites and blogs jumped on the topic - feeling secure that if industry heavyweights were reporting the issue as critical, then it must be true. From there the usual war for clicks started with various (mostly smaller) outlets trying to outdo one another until eventually panicked reports about an “immediate need to uninstall VLC” flooded social media and news aggregators.
The Aftermath
According to the VLC project, the vulnerability existed not in the player itself but in an older version of a library called Matroska. The Matroska project in turn points out that the vulnerability in question had been fixed in April 2018. It appears that the person filing the bug report (who acted responsibly) may simply have had an older library installed on their system due to a lack of updates. The original media reporters (who did not - by any measure - act responsibly) either had the same old version of the library or failed to confirm the issue altogether.
Even if the issue had been current, the impact was obviously limited from the start. NIST and CERT have since updated their advisories to class the bug as “Medium” and “Low” respectively. Some users likely fell for the fearmongering and uninstalled VLC. They would need to reinstall it, but no major direct harm would be done.
What was harmed however was the trust in information security reporting. There are real cyber security emergencies on a regular basis, from remotely exploitable 0day vulnerabilities in operating systems to fast-spreading malware like WannaCry. The public relies on IT news to keep them accurately informed about such events.
Poor reporting practices like the one we witnessed last week leads to a decrease in trust. Just like people who receive too many tornado warnings eventually stop evacuating, users receiving too many sensationalized reports on vulnerabilities eventually stop mitigating them.
As IT security news matures, this state of “yellow journalism” was an unavoidable steppingstone. The same is true for any niche that is reported on. All we can hope for now is that the yellow phase passes quickly. Otherwise, even slight decreases in user trust and compliance could lead to billions of dollars in long-term losses due to increased cybercrime.
When it comes to interpreting such reporting, the responsibility of ‘Reader Beware’ comes forward. However, as a topic such as cybersecurity is ever evolving, the reader (irrespective of their own title or knowledgebase) who is accountable for the reaction to such reporting should make every effort to stay informed of the latest trends, how they interpret them, and consciously think through they should best respond. Expand your IT security capabilities through the application of relevant, hands-on training. Additionally, stay keep informed about current events, you can (somewhat counterintuitively to this very research brief) read our research briefs on other related topics.
Share this
- November 2024 (1)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- June 2023 (2)
- May 2023 (2)
- April 2023 (3)
- March 2023 (4)
- February 2023 (3)
- January 2023 (5)
- December 2022 (1)
- November 2022 (2)
- October 2022 (1)
- September 2022 (11)
- August 2022 (5)
- July 2022 (1)
- May 2022 (3)
- April 2022 (1)
- February 2022 (4)
- January 2022 (3)
- December 2021 (2)
- November 2021 (3)
- October 2021 (2)
- September 2021 (1)
- August 2021 (1)
- June 2021 (1)
- May 2021 (14)
- February 2021 (1)
- October 2020 (1)
- September 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (2)
- March 2020 (1)
- February 2020 (1)
- January 2020 (3)
- December 2019 (1)
- November 2019 (2)
- October 2019 (3)
- September 2019 (5)
- August 2019 (2)
- July 2019 (3)
- June 2019 (3)
- May 2019 (2)
- April 2019 (3)
- March 2019 (2)
- February 2019 (3)
- January 2019 (1)
- December 2018 (3)
- November 2018 (5)
- October 2018 (4)
- September 2018 (3)
- August 2018 (3)
- July 2018 (4)
- June 2018 (4)
- May 2018 (2)
- April 2018 (4)
- March 2018 (5)
- February 2018 (3)
- January 2018 (3)
- December 2017 (2)
- November 2017 (4)
- October 2017 (3)
- September 2017 (5)
- August 2017 (3)
- July 2017 (3)
- June 2017 (4)
- May 2017 (4)
- April 2017 (2)
- March 2017 (4)
- February 2017 (2)
- January 2017 (1)
- December 2016 (1)
- November 2016 (4)
- October 2016 (2)
- September 2016 (4)
- August 2016 (5)
- July 2016 (3)
- June 2016 (5)
- May 2016 (3)
- April 2016 (4)
- March 2016 (5)
- February 2016 (4)