Quantcast
Subscribe to magazine

Do Bug-Hunting Security Firms Put Users at Risk?

Publicizing software flaws before reporting them to the maker could help hackers attack, some insiders say.

Paul Roberts, IDG News Service

  • 0 Yes
  • 0 No

When researchers at GreyMagic Software discovered a batch of security vulnerabilities in Microsoft's Internet Explorer earlier this month, their first response was to test the vulnerabilities and make sure they were for real. What they did next, however, raised the ire of Microsoft and others within the software industry.

In addition to sending information about the vulnerabilities to Microsoft, GreyMagic published information on their public Web site about the vulnerabilities along with code showing how the vulnerabilities could be exploited. They also sent e-mail announcing their discovery to a variety of public Web sites frequented by computer security experts and computer hackers.

"Under the full disclosure policy, we're releasing these vulnerabilities to the public and to Microsoft at the same time," the company, which is based in Israel, said in an e-mail notifying the public about the vulnerabilities. "Notifying Microsoft ahead of time and waiting for them to patch the reported issues proved as nonproductive."

Long-Simmering Dispute

The company's provocative action this week adds fuel to a long-simmering dispute between software vendors and researchers who look for security vulnerabilities over who has a right to know about security holes in commercial software and when they have a right to know it.

"The only one way that is proven to handle security vulnerabilities is for the person who finds a vulnerability to report it to the vendor," said Scott Culp, manager of Microsoft's Security Response Center. "The vendor is the only entity capable of creating a patch."

But Lee Dagon, head of research and development at GreyMagic, says that cooperation with Microsoft can often lead to long delays in getting patches--delays that put users at risk.

The decision to publicize the Internet Explorer vulnerabilities followed a number of incidents in which Microsoft was slow to respond to security issues disclosed to the company confidentially by GreyMagic, according to Dagon.

"This is our twelfth advisory regarding IE. Most of our previous IE advisories were indeed reported to Microsoft prior to the release. Each time, Microsoft failed to produce a patch in a timely manner, leaving users exposed for months at a time," Dagon wrote in an e-mail regarding the dispute.

Spreading Information

For Culp, however, such arguments are sophistry that disguises a troubling phenomenon--professional security experts giving information on software vulnerabilities away to hackers.

"This is not an abstract problem. The vast majority of users don't read security mailing lists and don't read postings about product vulnerabilities. Hackers do. [Disclosing vulnerabilities] only serves to tell hackers about vulnerabilities, and telling them how to go and exploit vulnerabilities is clearly not in the best interests of users," Culp said.

In his e-mail, Dagon listed a number of security vulnerabilities discovered by GreyMagic along with length of time that passed between when the vulnerability was reported and when Microsoft, based in Redmond Washington, issued a patch for the vulnerability. In one instance more than six months passed before a patch was issued, according to Dagon.

Speeding the Process

According to Dagon, publicizing vulnerabilities is one way to get Microsoft to respond in a timely manner.

While Culp agrees that disclosing security vulnerabilities to the public is likely to result in a faster reaction from Microsoft, he argues that the quicker turnaround is not always in the best interest of consumers.

Microsoft receives thousands of reports of vulnerabilities each year from individuals and from companies such as GreyMagic, according to Culp. As a result, the company must prioritize its activities, fixing the most serious vulnerabilities first and leaving less critical holes to be patched later.

But when a company or individual releases information about a vulnerability to the public, that planning goes out the window, according to Culp.

"A publicized vulnerability necessitates a much faster schedule and increases the priority of checking out that report even above other reports that could turn out to be more important, but weren't [publicized]. Because it presents clear and present danger to customers, we have to push other things aside. It's not an effective way to protect customers," Culp said.

Many security companies agree.

"We know that some holes are more important than others," said Aviram Jenik, chief executive officer of Beyond Security, another Israeli security company that generally works with software vendors and does not publicize vulnerabilities before a patch is available.

"Unless we have serious disagreement with the vendor, which is very rare, we'll trust their judgment," Jenik said.

Government Involvement

The dispute is drawing more attention, as the information technology community and the U.S. government expand their focus to include application security as well as network security.

Richard Clarke, the Bush administration's special advisor on cyberspace security, has made application security a top priority. And while he thinks that the government should push vendors to produce more-secure software, in public statements he has sided with vendors in the debate over publicizing vulnerabilities.

"When you find a vulnerability, there is a responsible way and an irresponsible way to handle it," Clarke said at a town hall-style meeting held at the Massachusetts Institute of Technology in Cambridge, Massachusetts, earlier this month.

At the meeting, Clarke exhorted security experts to report vulnerabilities first to the vendor, and to wait for a patch before informing the public.

"It does no one any good to tell the world about software vulnerabilities before a patch has been issued," Clarke said.

At the same time, President Bush's point man on cybersecurity suggested an escalation chain that security experts might use in lieu of public notification when they encounter a wall of silence from vendors. Clarke named the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh and the FBI's National Infrastructure Protection Center as organizations that can also field warnings about insecure software products.

"If that doesn't work, call me," Clarke said, noting that his office can speak directly to the chief executive officers of recalcitrant companies, a technique that usually produces quick results.

  • Recommend this story?
  • 0 Yes
    0 No

Print 65% more pages than with refilled inks. Trust Original HP Inks. Hit Print Reliably.

Featured APC Accessories For Your System
10% Off Entire Cart at Online Store

  • APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
  • APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.

People who read this also read:

  • 2007 Microsoft Office Suites Comparison This paper compares and contrasts four suites of the 2007 Microsoft Office system: Microsoft Office Standard 2007, Microsoft Office Professional Plus 2007, Microsoft Office Enterprise 2007 and Microsoft Office Ultimate 2007. This paper is intended to help organizations understand the applications and capabilities offered, and to identify the suite that best fits their needs.
  • Windows Vista Migration: The Business Proposition It's not so much a matter of "if" but "when" for most organizations regarding migration to Windows Vista. Laying the groundwork now for this migration can yield higher ROI than waiting until later. This Computerworld Technology Briefing explains it all.

PC World's Marketplace