Black Screen of Death: A Lesson in FUD
The reports of the Windows "black screen of death" seem to be greatly exaggerated and hardly worth mentioning. The FUD (fear, uncertainty, and doubt) and sensationalism that have surrounded the issue are a bigger story than the actual black screen of death at this point, and highlight the need for clear communication and ethical disclosure.
Vulnerability research is a race for bragging rights. The competition to be first to announce a new flaw--particularly a flaw that allegedly impacts Windows 7--is fierce and can have unfortunate consequences as it apparently did in this case.
FUD and Sensationalism
The initial blog post from Prevx on Black Friday claims that "millions" of Windows 7, Vista, and XP systems are impacted by the black screen of death issue, and that the problem is caused by updates Microsoft pushed out during the November Patch Tuesday. Neither of those claims has turned out to be true.
Graham Cluley, senior technology consultant with security software vendor Sophos, says "Certainly PrevX's original blog post does seem to have been unfortunate. The claim that the problem could affect "millions" of Windows users was clearly far wide of the mark. Indeed, when journalists rang me up asking about the [issue] all I could do is scratch my head and say that we hadn't had any reports of difficulties from our customers."
There are unwritten rules for ethical disclosure of vulnerabilities that reputable organizations like Prevx are expected to follow. Reports thus far seem to suggest that Prevx violated those rules by not first contacting Microsoft before going public with its claims.
Balancing Urgency and Good Intentions
Cluley points out, though, that its not always that simple. "It's always a challenge getting the balance right between warning the public of a threat and checking your facts to the "nth" degree. Clearly on this occasion, PrevX got the problem wrong-- but we should judge them more by how they have acted since the error occurred rather than from their one slip-up."
He goes on to defend Prevx "I don't know if they did contact Microsoft in advance of blogging, and chose not to wait for Microsoft to respond, or not. I am sure, however, that they genuinely believed that the reason for the "black screens" they were seeing was due to problems with Microsoft's software and were sincere in warning the public."
The Damage is Done
Prevx is a reputable information security company so it seems reasonable to assume it had good intentions, or at least that the FUD and sensationalism were an honest mistake. The problem with FUD and sensationalism though is that once its out there the damage is already done.
Windows 7 has been well-received thus far, but it is still new and many organizations are gun-shy about jumping on the Windows 7 bandwagon too soon. Reports like the black screen of death claiming flaws and system crashes in the new operating system complicate the process for organizations struggling to decide when, or whether, to make the move to Windows 7.
Hopefully Prevx' quick response and mea culpa blog post admitting its error and apologizing to Microsoft will help to undo some of the damage.
Sophos' Cluley sums it up though "I don't think PrevX meant to scare people unnecessarily - I think some details and double-checking got lost along the way. Hopefully everyone can now move on to the more important and pressing real issues that face IT teams every day."