Coming Clean on Patches

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.eweek.com/article/0,3658,s=701&a=27646,00.asp

June 3, 2002 
By Dennis Fisher 

A high-stakes battle is brewing between software developers and 
security researchers over when to release discovered vulnerability 
data and patches, and customers are caught in the cross fire.

The debate is about when researchers should alert the general public 
to the flaws they find. Industry protocol calls for discoveries to be 
kept quiet until a patch is available—usually no less than 30 days—to 
minimize the threat from hackers who could do damage in the interim.

That process, however, could soon change. A prominent security expert 
last week announced that he will give software companies just one week 
to patch a new vulnerability before he releases data about the flaw to 
the public.

Software companies decried the move, saying it will needlessly expose 
users to increased risk. But a new study by research company Hurwitz 
Group, of Framingham, Mass., found that 67 percent of CIOs and 
security professionals surveyed said they favored disclosure of such 
information immediately or within a week of its discovery. The study 
also showed that nearly 45 percent of respondents want to see detailed 
vulnerability information.

David Litchfield, co-founder of Next Generation Security Software Ltd. 
and author of the new policy, said the change is needed to force 
vendors to patch their products more quickly. According to Litchfield, 
software companies such as Microsoft Corp. are placing customers in 
harm's way by electing not to patch each vulnerability immediately and 
instead waiting to issue fixes in roll-ups or service packs.

"I'd rather have them produce a patch, give their customers all the 
relevant information about it so the customer can decide whether this 
vulnerability poses a threat to them," said Litchfield, in Surrey, 
England. "In the absence of the patch, though, the customer can't make 
this choice and is left exposed."

The reason software companies are against the accelerated notification 
period: "Money or avoiding embarrassment are probably the motivating 
factors," he said.

Nevertheless, quick disclosures of new flaws can leave customers 
defenseless for long periods of time.

While other security researchers said Litchfield's policy could 
provide interesting data on the time it takes vendors to release 
patches, they agreed that releasing vulnerability details so quickly 
could do more harm than good.

"How much information do you need to partially disclose? I think the 
vendor and software package is fine," said Chris Wysopal, director of 
research and development at @Stake Inc., a security consultancy and 
research company in Cambridge, Mass. "But more than that and you'll 
find people hammering away at [the vulnerability]. That's the part I 
have the biggest problem with. I question whether it needs to be out 
there until after the issue is resolved."

Microsoft officials reject the notion the company is deliberately 
leaving its customers exposed and said that it's inefficient and 
impractical for them to release a patch for every new vulnerability 
found in a Microsoft product.

"We don't try to hide vulnerabilities, but doing a single patch for 
every vulnerability isn't an efficient way to do business," said Scott 
Culp, manager of the Microsoft Security Response Center, in Redmond, 
Wash. "We could produce patches faster than users could test and 
implement them, which means they wouldn't patch. Without unusual 
circumstances, it makes a lot more sense to patch through a service 
pack."

Culp added that Microsoft has developed a standard that dictates that 
any flaw posing "a clear and present danger" to customers must be 
patched immediately; others can wait.

Marc Maiffret, chief hacking officer at eEye Digital Security Inc., in 
Aliso Viejo, Calif., whose company has identified several serious 
flaws in Microsoft products, said pressuring a vendor with public 
disclosure can work, but researchers must be careful about it.

"Every vulnerability is different and takes a different amount of time 
to patch," Maiffret said. "If the vendor isn't responding, it could be 
a good tool to motivate them, as long as you don't give enough 
information to create an exploit. But if people start to figure out 
the vulnerability through the workaround, it could cause problems."



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.