Security companies split over flaw disclosures

When researchers at GreyMagic Software discovered a batch of security vulnerabilities in Microsoft's Internet Explorer earlier this month, their first response was to test the vulnerabilities and make sure they were for real. What they did next, however, raised the ire of Microsoft and others within the software industry.

In addition to sending information about the vulnerabilities to Microsoft, GreyMagic on Tuesday published information about the vulnerabilities along with code showing how the vulnerabilities could be exploited on their public Web site. They also sent e-mail announcing their discovery to a variety of public Web sites frequented by computer security experts and computer hackers.

"Under the full disclosure policy, we're releasing these vulnerabilities to the public and to Microsoft at the same time," the company, which is based in Israel, said in an e-mail notifying the public about the vulnerabilities. "Notifying Microsoft ahead of time and waiting for them to patch the reported issues proved as non-productive."

The company's provocative action this week adds fuel to a long-simmering dispute between software vendors and researchers who look for security vulnerabilities over who has a right to know about security holes in commercial software and when they have a right to know it.

"The only one way that is proven to handle security vulnerabilities is for the person who finds a vulnerability to report it to the vendor," said Scott Culp, manager of Microsoft's Security Response Center. "The vendor is the only entity capable of creating a patch."

But Lee Dagon, head of research and development at GreyMagic, says that cooperation with Microsoft can often lead to long delays in getting patches -- delays that put users at risk.

The decision to publicize the Internet Explorer vulnerabilities this week followed a number of incidents in which the company was slow to respond to security issues disclosed to them confidentially by GreyMagic, according to Dagon.

"This is our twelfth advisory regarding IE (Internet Explorer). Most of our previous IE advisories were indeed reported to Microsoft prior to the release. Each time Microsoft failed to produce a patch in a timely manner, leaving users exposed for months at a time," Dagon wrote in an e-mail regarding the dispute.

For Culp, however, such arguments are sophistry that disguises a troubling phenomenon -- professional security experts giving information on software vulnerabilities away to hackers.

"This is not an abstract problem. The vast majority of users don't read security mailing lists and don't read postings about product vulnerabilities. Hackers do. (Disclosing vulnerabilities) only serves to tell hackers about vulnerabilities, and telling them how to go and exploit vulnerabilities is clearly not in the best interests of users," Culp said.

In his e-mail, Dagon listed a number of security vulnerabilities discovered by GreyMagic along with length of time that passed between when the vulnerability was reported and when Microsoft, based in Redmond Washington, issued a patch for the vulnerability. In one instance more than six months passed before a patch was issued, according to Dagon.

According to Dagon, publicizing vulnerabilities is one way to get Microsoft to respond in a timely manner.

While Culp agrees that disclosing security vulnerabilities to the public is likely to result in a faster reaction from Microsoft, he argues that the quicker turnaround is not always in the best interest of consumers.

Microsoft receives thousands of reports of vulnerabilities each year from individuals and from companies such as GreyMagic, according to Culp. As a result, the company must prioritize its activities, fixing the most serious vulnerabilities first, and leaving less critical holes to be patched later.

But when a company or individual releases information about a vulnerability to the public that planning goes out the window, according to Culp.

"A publicized vulnerability necessitates a much faster schedule and increases the priority of checking out that report even above other reports that could turn out to be more important, but weren't (publicized). Because it presents clear and present danger to customers, we have to push other things aside. It's not an effective way to protect customers," Culp said.

Many security companies agree.

"We know that some holes are more important than others," said Aviram Jenik, chief executive officer of Beyond Security Ltd., another Israeli security company that generally works with software vendors and does not publicize vulnerabilities before a patch is available.

"Unless we have serious disagreement with the vendor, which is very rare, we'll trust their judgment," Jenik said.

The dispute is demanding more attention, as the focus of the information technology community and the U.S. government expands to include application as well as network security.

Richard Clarke, the Bush administration's special advisor to the president on cyberspace security, has made application security a top priority. And, while he thinks the government should push vendors to produce more secure software, in public statements he also makes no qualms about siding with vendors in the debate over publicizing vulnerabilities.

"When you find a vulnerability, there is a responsible way and an irresponsible way to handle it," Clarke said at a town hall - style meeting held at the Massachusetts Institute of Technology in Cambridge, Massachusetts earlier this month.

At the meeting, Clarke exhorted security experts to report vulnerabilities first to the vendor, and to wait for a patch before informing the public.

"It does no one any good to tell the world about software vulnerabilities before a patch has been issued," Clarke said.

However, President Bush's point man on cybersecurity also sketched out an escalation chain that security experts might use in lieu of public notification when they encounter a wall of silence from vendors. Clarke named the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh, Pennsylvania, and the U.S. Federal Bureau of Investigation's National Infrastructure Protection Center as organizations that can also field warnings about insecure software products.

"If that doesn't work, call me," Clarke said, noting that his office can speak directly to the CEOs of recalcitrant companies, a technique that usually produces quick results.

Join the newsletter!

Error: Please check your email address.

More about Beyond SecurityCarnegie Mellon University AustraliaCERT AustraliaComputer Emergency Response TeamFederal Bureau of InvestigationMassachusetts Institute of TechnologyMellonMicrosoft

Show Comments