Security companies split over flaw disclosures

When researchers at GreyMagic Software discovered a batch of security vulnerabilities in Microsoft's Internet Explorer earlier this month, their first response was to test the vulnerabilities and make sure they were for real. What they did next, however, raised the ire of Microsoft and others within the software industry.

In addition to sending information about the vulnerabilities to Microsoft, GreyMagic on Tuesday published information about the vulnerabilities along with code showing how the vulnerabilities could be exploited on their public Web site. They also sent e-mail announcing their discovery to a variety of public Web sites frequented by computer security experts and computer hackers.

"Under the full disclosure policy, we're releasing these vulnerabilities to the public and to Microsoft at the same time," the company, which is based in Israel, said in an e-mail notifying the public about the vulnerabilities. "Notifying Microsoft ahead of time and waiting for them to patch the reported issues proved as non-productive."

The company's provocative action this week adds fuel to a long-simmering dispute between software vendors and researchers who look for security vulnerabilities over who has a right to know about security holes in commercial software and when they have a right to know it.

"The only one way that is proven to handle security vulnerabilities is for the person who finds a vulnerability to report it to the vendor," said Scott Culp, manager of Microsoft's Security Response Center. "The vendor is the only entity capable of creating a patch."

But Lee Dagon, head of research and development at GreyMagic, says that cooperation with Microsoft can often lead to long delays in getting patches -- delays that put users at risk.

The decision to publicize the Internet Explorer vulnerabilities this week followed a number of incidents in which the company was slow to respond to security issues disclosed to them confidentially by GreyMagic, according to Dagon.

"This is our twelfth advisory regarding IE (Internet Explorer). Most of our previous IE advisories were indeed reported to Microsoft prior to the release. Each time Microsoft failed to produce a patch in a timely manner, leaving users exposed for months at a time," Dagon wrote in an e-mail regarding the dispute.

For Culp, however, such arguments are sophistry that disguises a troubling phenomenon -- professional security experts giving information on software vulnerabilities away to hackers.

"This is not an abstract problem. The vast majority of users don't read security mailing lists and don't read postings about product vulnerabilities. Hackers do. (Disclosing vulnerabilities) only serves to tell hackers about vulnerabilities, and telling them how to go and exploit vulnerabilities is clearly not in the best interests of users," Culp said.

In his e-mail, Dagon listed a number of security vulnerabilities discovered by GreyMagic along with length of time that passed between when the vulnerability was reported and when Microsoft, based in Redmond Washington, issued a patch for the vulnerability. In one instance more than six months passed before a patch was issued, according to Dagon.

According to Dagon, publicizing vulnerabilities is one way to get Microsoft to respond in a timely manner.

While Culp agrees that disclosing security vulnerabilities to the public is likely to result in a faster reaction from Microsoft, he argues that the quicker turnaround is not always in the best interest of consumers.

Microsoft receives thousands of reports of vulnerabilities each year from individuals and from companies such as GreyMagic, according to Culp. As a result, the company must prioritize its activities, fixing the most serious vulnerabilities first, and leaving less critical holes to be patched later.

But when a company or individual releases information about a vulnerability to the public that planning goes out the window, according to Culp.

"A publicized vulnerability necessitates a much faster schedule and increases the priority of checking out that report even above other reports that could turn out to be more important, but weren't (publicized). Because it presents clear and present danger to customers, we have to push other things aside. It's not an effective way to protect customers," Culp said.

Many security companies agree.

"We know that some holes are more important than others," said Aviram Jenik, chief executive officer of Beyond Security Ltd., another Israeli security company that generally works with software vendors and does not publicize vulnerabilities before a patch is available.

"Unless we have serious disagreement with the vendor, which is very rare, we'll trust their judgment," Jenik said.

The dispute is demanding more attention, as the focus of the information technology community and the U.S. government expands to include application as well as network security.

Richard Clarke, the Bush administration's special advisor to the president on cyberspace security, has made application security a top priority. And, while he thinks the government should push vendors to produce more secure software, in public statements he also makes no qualms about siding with vendors in the debate over publicizing vulnerabilities.

"When you find a vulnerability, there is a responsible way and an irresponsible way to handle it," Clarke said at a town hall - style meeting held at the Massachusetts Institute of Technology in Cambridge, Massachusetts earlier this month.

At the meeting, Clarke exhorted security experts to report vulnerabilities first to the vendor, and to wait for a patch before informing the public.

"It does no one any good to tell the world about software vulnerabilities before a patch has been issued," Clarke said.

However, President Bush's point man on cybersecurity also sketched out an escalation chain that security experts might use in lieu of public notification when they encounter a wall of silence from vendors. Clarke named the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh, Pennsylvania, and the U.S. Federal Bureau of Investigation's National Infrastructure Protection Center as organizations that can also field warnings about insecure software products.

"If that doesn't work, call me," Clarke said, noting that his office can speak directly to the CEOs of recalcitrant companies, a technique that usually produces quick results.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

Computerworld
Show Comments

Brand Post

PC World Evaluation Team Review - MSI GT75 TITAN

"I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it."

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?