[ISN] Coming Clean on Patches

From: InfoSec News (isnat_private)
Date: Tue Jun 04 2002 - 01:37:45 PDT

  • Next message: InfoSec News: "Re: [ISN] NSA Launches Ad Campaign Urging Secrecy"

    Forwarded from: William Knowles <wkat_private>
    June 3, 2002 
    By Dennis Fisher 
    A high-stakes battle is brewing between software developers and 
    security researchers over when to release discovered vulnerability 
    data and patches, and customers are caught in the cross fire.
    The debate is about when researchers should alert the general public 
    to the flaws they find. Industry protocol calls for discoveries to be 
    kept quiet until a patch is available—usually no less than 30 days—to 
    minimize the threat from hackers who could do damage in the interim.
    That process, however, could soon change. A prominent security expert 
    last week announced that he will give software companies just one week 
    to patch a new vulnerability before he releases data about the flaw to 
    the public.
    Software companies decried the move, saying it will needlessly expose 
    users to increased risk. But a new study by research company Hurwitz 
    Group, of Framingham, Mass., found that 67 percent of CIOs and 
    security professionals surveyed said they favored disclosure of such 
    information immediately or within a week of its discovery. The study 
    also showed that nearly 45 percent of respondents want to see detailed 
    vulnerability information.
    David Litchfield, co-founder of Next Generation Security Software Ltd. 
    and author of the new policy, said the change is needed to force 
    vendors to patch their products more quickly. According to Litchfield, 
    software companies such as Microsoft Corp. are placing customers in 
    harm's way by electing not to patch each vulnerability immediately and 
    instead waiting to issue fixes in roll-ups or service packs.
    "I'd rather have them produce a patch, give their customers all the 
    relevant information about it so the customer can decide whether this 
    vulnerability poses a threat to them," said Litchfield, in Surrey, 
    England. "In the absence of the patch, though, the customer can't make 
    this choice and is left exposed."
    The reason software companies are against the accelerated notification 
    period: "Money or avoiding embarrassment are probably the motivating 
    factors," he said.
    Nevertheless, quick disclosures of new flaws can leave customers 
    defenseless for long periods of time.
    While other security researchers said Litchfield's policy could 
    provide interesting data on the time it takes vendors to release 
    patches, they agreed that releasing vulnerability details so quickly 
    could do more harm than good.
    "How much information do you need to partially disclose? I think the 
    vendor and software package is fine," said Chris Wysopal, director of 
    research and development at @Stake Inc., a security consultancy and 
    research company in Cambridge, Mass. "But more than that and you'll 
    find people hammering away at [the vulnerability]. That's the part I 
    have the biggest problem with. I question whether it needs to be out 
    there until after the issue is resolved."
    Microsoft officials reject the notion the company is deliberately 
    leaving its customers exposed and said that it's inefficient and 
    impractical for them to release a patch for every new vulnerability 
    found in a Microsoft product.
    "We don't try to hide vulnerabilities, but doing a single patch for 
    every vulnerability isn't an efficient way to do business," said Scott 
    Culp, manager of the Microsoft Security Response Center, in Redmond, 
    Wash. "We could produce patches faster than users could test and 
    implement them, which means they wouldn't patch. Without unusual 
    circumstances, it makes a lot more sense to patch through a service 
    Culp added that Microsoft has developed a standard that dictates that 
    any flaw posing "a clear and present danger" to customers must be 
    patched immediately; others can wait.
    Marc Maiffret, chief hacking officer at eEye Digital Security Inc., in 
    Aliso Viejo, Calif., whose company has identified several serious 
    flaws in Microsoft products, said pressuring a vendor with public 
    disclosure can work, but researchers must be careful about it.
    "Every vulnerability is different and takes a different amount of time 
    to patch," Maiffret said. "If the vendor isn't responding, it could be 
    a good tool to motivate them, as long as you don't give enough 
    information to create an exploit. But if people start to figure out 
    the vulnerability through the workaround, it could cause problems."
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 04:45:27 PDT