Like the sound of a mosquito thwacking into a bug light on a steamy mid-summer’s night – about the opposite imagery of what many of us are experiencing right now as we sit buried under a blanket of winter snow – the arrival of last week’s emergency IE patch touched off a new wave of debate over the issue of responsible disclosure across the IT security industry.
The rumor is that Microsoft had no intention of releasing the patch until next month, until someone spilled the beans and they had to go public early. The fact that the company had only just released its monthly batch of security updates days before the advisory only added fuel to the fire.
Responsible disclosure is a topic that I’ve focused on more finitely over the last 6-8 months after going to work for a vendor that considers vulnerability research its lifeblood, and which published more security vulnerability advisories during calendar 2008 that it had issued in the previous 5 years altogether . At the end of the day, for the people that I work with, the consensus is that if there is a chance that there is code in the wild that can exploit a vulnerability, it’s best to make the news public as quickly as possible – after giving the involved vendor an acceptable amount of time to come up with a fix.
Ah, “acceptable time,” that’s the part that’s subjective, and which researchers and vendors often seem to disagree most about, with some experts questioning publicly if Microsoft moved fast enough to either announce or remedy the IE bug in this latest instance – as they are wont to do.
Microsoft defended that it wasn’t ready to go public yet, since it had only just learned of the problem itself. Fair enough?
It’s a tough question, really. Those of us working in the research community want people to get protected as quickly as possible, and feel that detailing the flaws that our colleagues discover publicly as soon as possible is the best way to do that.
Vendors defend that they need a long time to test security patches to ensure compatibility, in Microsoft’s case with literally millions of applications for use with IE. And both sides are understandable, when the parties involved are reasonable. Ah, “reasonable” there’s another subjective idea.
When vendors won’t respond, sometimes researchers go public anyway which surely does put more people at risk as attackers move to adopt the new flaw in their attacks. But otherwise, they are merely unprotected and unknowing of the threat for attack, as in the case of the IE bug before the announcement.
Which situation is better? Who wins? It’s hard to say. In many cases it’s sort of a no win for anyone.
This is why some researchers are questioning how the traditional process of responsible disclosure can be remedied to lessen the impact of zero days on end users while still giving companies like Microsoft a chance to get their patches in order. Take BitDefender’s Razvan Stoica for instance.
On one hand:
“Microsoft is reaping what they (and other major software companies) have sown – the huge media backlash is a direct consequence of the policy of ‘responsible disclosure,” the expert said in a blog post on the Malware City portal. “A really responsible researcher would tell everyone, so that mitigating actions can be considered and the software company is pressured into releasing a fix quickly.”
But, taking into the consideration the near certainty for attacks to heat up when a vulnerability is detailed before a fix is cooked up, the expert also concedes:
“How many people find out about a particular bug depends on who finds it – a ‘responsible disclosure’-type researcher informs only the software manufacturer, while a black hat evil hacker type might create an exploit and not tell anyone about it, ever, using the exploit only sparingly, on high-value targets,” Stoica writes. “Which of these strikes you as a desirable situation? How about if you were a software company?”
And he’s right, it really is a no-win situation. Taking into mind that there are a lot of researchers looking to sell vulnerability data to vendors, or who may also be willing to sell it to the bad guys, the morass of issues becomes even harder to untangle.
What is responsible disclosure? How are all parties considerations best protected?
There are clearly no simple answers to these questions, and the industry will surely be pounding this question throughout the coming year, as seemingly little has changed in the last year, though at least Microsoft has taken steps to uncloak its process a bit.
Personally, I don’t think that there is an answer, and that it’ll always be the nature of the beast.
But it’ll always be a hot topic, even in the middle of winter.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to [email protected].