Security companies split over flaw disclosures

When researchers at GreyMagic Software discovered a batch of security vulnerabilities in Microsoft's Internet Explorer earlier this month, their first response was to test the vulnerabilities and make sure they were for real. What they did next, however, raised the ire of Microsoft and others within the software industry.

In addition to sending information about the vulnerabilities to Microsoft, GreyMagic on Tuesday published information about the vulnerabilities along with code showing how the vulnerabilities could be exploited on their public Web site. They also sent e-mail announcing their discovery to a variety of public Web sites frequented by computer security experts and computer hackers.

"Under the full disclosure policy, we're releasing these vulnerabilities to the public and to Microsoft at the same time," the company, which is based in Israel, said in an e-mail notifying the public about the vulnerabilities. "Notifying Microsoft ahead of time and waiting for them to patch the reported issues proved as non-productive."

The company's provocative action this week adds fuel to a long-simmering dispute between software vendors and researchers who look for security vulnerabilities over who has a right to know about security holes in commercial software and when they have a right to know it.

"The only one way that is proven to handle security vulnerabilities is for the person who finds a vulnerability to report it to the vendor," said Scott Culp, manager of Microsoft's Security Response Center. "The vendor is the only entity capable of creating a patch."

But Lee Dagon, head of research and development at GreyMagic, says that cooperation with Microsoft can often lead to long delays in getting patches -- delays that put users at risk.

The decision to publicize the Internet Explorer vulnerabilities this week followed a number of incidents in which the company was slow to respond to security issues disclosed to them confidentially by GreyMagic, according to Dagon.

"This is our twelfth advisory regarding IE (Internet Explorer). Most of our previous IE advisories were indeed reported to Microsoft prior to the release. Each time Microsoft failed to produce a patch in a timely manner, leaving users exposed for months at a time," Dagon wrote in an e-mail regarding the dispute.

For Culp, however, such arguments are sophistry that disguises a troubling phenomenon -- professional security experts giving information on software vulnerabilities away to hackers.

"This is not an abstract problem. The vast majority of users don't read security mailing lists and don't read postings about product vulnerabilities. Hackers do. (Disclosing vulnerabilities) only serves to tell hackers about vulnerabilities, and telling them how to go and exploit vulnerabilities is clearly not in the best interests of users," Culp said.

In his e-mail, Dagon listed a number of security vulnerabilities discovered by GreyMagic along with length of time that passed between when the vulnerability was reported and when Microsoft, based in Redmond Washington, issued a patch for the vulnerability. In one instance more than six months passed before a patch was issued, according to Dagon.

According to Dagon, publicizing vulnerabilities is one way to get Microsoft to respond in a timely manner.

While Culp agrees that disclosing security vulnerabilities to the public is likely to result in a faster reaction from Microsoft, he argues that the quicker turnaround is not always in the best interest of consumers.

Microsoft receives thousands of reports of vulnerabilities each year from individuals and from companies such as GreyMagic, according to Culp. As a result, the company must prioritize its activities, fixing the most serious vulnerabilities first, and leaving less critical holes to be patched later.

But when a company or individual releases information about a vulnerability to the public that planning goes out the window, according to Culp.

"A publicized vulnerability necessitates a much faster schedule and increases the priority of checking out that report even above other reports that could turn out to be more important, but weren't (publicized). Because it presents clear and present danger to customers, we have to push other things aside. It's not an effective way to protect customers," Culp said.

Many security companies agree.

"We know that some holes are more important than others," said Aviram Jenik, chief executive officer of Beyond Security Ltd., another Israeli security company that generally works with software vendors and does not publicize vulnerabilities before a patch is available.

"Unless we have serious disagreement with the vendor, which is very rare, we'll trust their judgment," Jenik said.

The dispute is demanding more attention, as the focus of the information technology community and the U.S. government expands to include application as well as network security.

Richard Clarke, the Bush administration's special advisor to the president on cyberspace security, has made application security a top priority. And, while he thinks the government should push vendors to produce more secure software, in public statements he also makes no qualms about siding with vendors in the debate over publicizing vulnerabilities.

"When you find a vulnerability, there is a responsible way and an irresponsible way to handle it," Clarke said at a town hall - style meeting held at the Massachusetts Institute of Technology in Cambridge, Massachusetts earlier this month.

At the meeting, Clarke exhorted security experts to report vulnerabilities first to the vendor, and to wait for a patch before informing the public.

"It does no one any good to tell the world about software vulnerabilities before a patch has been issued," Clarke said.

However, President Bush's point man on cybersecurity also sketched out an escalation chain that security experts might use in lieu of public notification when they encounter a wall of silence from vendors. Clarke named the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh, Pennsylvania, and the U.S. Federal Bureau of Investigation's National Infrastructure Protection Center as organizations that can also field warnings about insecure software products.

"If that doesn't work, call me," Clarke said, noting that his office can speak directly to the CEOs of recalcitrant companies, a technique that usually produces quick results.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?