Patch or No, Flaws to Go Public | eWeek

Patch or No, Flaws to Go Public

Verfasst von
Dennis Fisher
Dennis Fisher
May 28, 2002
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

A security researcher well-known for finding dozens of vulnerabilities in all manner of software products announced Monday that he will no longer automatically wait for a vendor to patch a flaw before he notifies the general public of the problem.

Tired of software vendors lack of responsiveness to security problems, David Litchfield, co-founder of Next Generation Security Software Ltd., in Surrey, England, said he now will simply wait one week from the time he notifies the vendor of the problem before announcing the flaw publicly in what he calls a Vendor Notification Alert.

He will not, however, release the details of the vulnerability—just the fact that it exists and any workaround information that is available.

Litchfield is well-known in the security community and has a long history of uncovering vulnerabilities, most often buffer overruns, in products from companies such as Microsoft Corp., Oracle Corp. and IBMs Lotus division.

Litchfields new approach is likely to draw fire not only from vendors but from some members of the security community who believe that no mention of a new vulnerability should be made until a patch is available. The question of when to release vulnerability data and how much to say is an age-old one.

But to date, most researchers have erred on the side of caution, opting to accept a vendors assurances that it is working on a patch and often waiting weeks or months to announce the new vulnerability.

However, Litchfield in his announcement said lately he has “noticed a lethargy and an unwillingness to patch security problems as and when they are found.”

He also criticized the decision by some vendors to wait and release several patches in roll-ups or service packs, a practice he said leads to unnecessary exposure for the vendors customers. Litchfield cited an example of a new vulnerability he has discovered in a Microsoft product, which he says the company has decided not to patch immediately.

“Microsoft has chosen to assess the risk on behalf of their customers and not produce a patch. Id rather have them produce a patch, give their customers all the relevant information about it so the customer can decide whether this vulnerability poses a threat to them or not and therefore choose to patch or not,” he said. “In the absence of a patch, though, the customers cant make this choice and are left exposed.”

Officials at Microsoft, in Redmond, Wash., were unavailable to comment.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.