See no vulnerabilities, hear no vulnerabilities

Yesterday, Computerworld reported on a Gartner tidbit that "QuickTime Vulnerability Exposed by Contest Poses Wide Risk". I'm in complete agreement with the title. The QuickTime vulnerability is indeed a pretty nasty one. It impacts both Mac and Windows (including Vista!) machines with any web browser as long as Java and Quicktime are enabled and installed. Pretty bad combination. Unfortunately, my agreement with the analysts doesn't make it much beyond the title. The second line of the summary is:

There's a couple of problems with this. First, the actual vulnerability research was not conducted in public. Dino Dai Zovi, who developed the exploit, wasn't even in Vancouver where the contest was being run. Secondly, I'm not sure what danger was highlighted. I'd call this a success story for responsible disclosure.

Had the contest not been run, Dino might not have found the vulnerability first (certainly he wouldn't have been as motivated as he himself points out in the Computerworld story), and we might not have been so lucky that whomever did find the vulnerability would be content with the normal ZDI payments. Instead they might have decided to sell the vulnerability for much more to malware authors or other digital mobsters (yes, I cringed when I wrote it too, but it's descriptive).

Now had the contest been run in such a manner that the exploit was liable to leak into the wild, I'd agree that it was a risky stunt and possibly not worth the effort. However, that doesn't seem to be the case.So what was the end result of this contest? A very serious bug was discovered, reported, and resolved, all before a single wild exploit was found. Incidentally, the total time before patch was just about one week a week and a half [my original dates were wrong--the discovery date was April 20, the patch date was May 1, 11 days to fix]. Much better than some of their previous patch release times, and better than Microsoft's average even if you assume (incorrectly) that they never miss outstanding vulnerabilities with each Patch Tuesday which would come out to 14 days. [Fun game -- can you count how many patch Tuesdays the recent ANI patch missed before it was found exploited in the wild? I'll give you a hint, x>1]

My disagreement doesn't stop there, either. Later on it's stated that :

No single safeguard? Safeguards like disabling Java, or uninstalling Quicktime? Heck, they're both mentioned later on in the same report, and either option guaranteed complete protection. Even using NoScript with Forbid Java enabled would have mitigated attacks for Firefox users.

Or this bit:

IPS for the first line of defense against a browser-based exploit? Not my first pick. While SSL is indeed one way to trivially evade an IPS, it's much less common than javascript obfuscation. At the very same conference where this contest was run, Dr. Jose Nazario was presenting on javascript obfuscation and de-obfuscation techniques.

Let's be very clear. The vulnerability was there whether Dino found it or not. This contest was the reason the vulnerability was found (certainly when it was, possibly at all) by Dino, and the vulnerability was resolved without any public exploits. How, exactly, is this more dangerous than not running the contest and crossing our fingers that the good guys would have found it first?