Vulnerability research is a race for bragging rights. The competition to be first to announce a new flaw–particularly a flaw that allegedly impacts Windows 7–is fierce and can have unfortunate consequences as it apparently did in this case.
FUD and Sensationalism
The initial blog post from Prevx on Black Friday claims that “millions” of Windows 7, Vista, and XP systems are impacted by the black screen of death issue, and that the problem is caused by updates Microsoft pushed out during the November Patch Tuesday. Neither of those claims has turned out to be true.
Graham Cluley, senior technology consultant with security software vendor Sophos, says “Certainly PrevX’s original blog post does seem to have been unfortunate. The claim that the problem could affect “millions” of Windows users was clearly far wide of the mark. Indeed, when journalists rang me up asking about the [issue] all I could do is scratch my head and say that we hadn’t had any reports of difficulties from our customers.”
There are unwritten rules for ethical disclosure of vulnerabilities that reputable organizations like Prevx are expected to follow. Reports thus far seem to suggest that Prevx violated those rules by not first contacting Microsoft before going public with its claims.
Balancing Urgency and Good Intentions
Cluley points out, though, that its not always that simple. “It’s always a challenge getting the balance right between warning the public of a threat and checking your facts to the “nth” degree. Clearly on this occasion, PrevX got the problem wrong– but we should judge them more by how they have acted since the error occurred rather than from their one slip-up.”
He goes on to defend Prevx “I don’t know if they did contact Microsoft in advance of blogging, and chose not to wait for Microsoft to respond, or not. I am sure, however, that they genuinely believed that the reason for the “black screens” they were seeing was due to problems with Microsoft’s software and were sincere in warning the public.”
The Damage is Done
Prevx is a reputable information security company so it seems reasonable to assume it had good intentions, or at least that the FUD and sensationalism were an honest mistake. The problem with FUD and sensationalism though is that once its out there the damage is already done.
Windows 7 has been well-received thus far, but it is still new and many organizations are gun-shy about jumping on the Windows 7 bandwagon too soon. Reports like the black screen of death claiming flaws and system crashes in the new operating system complicate the process for organizations struggling to decide when, or whether, to make the move to Windows 7.
Sophos’ Cluley sums it up though “I don’t think PrevX meant to scare people unnecessarily – I think some details and double-checking got lost along the way. Hopefully everyone can now move on to the more important and pressing real issues that face IT teams every day.”