Patch or No, Flaws to Go Public | eWeek

Patch or No, Flaws to Go Public

Écrit par
Dennis Fisher
Dennis Fisher
May 28, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

A security researcher well-known for finding dozens of vulnerabilities in all manner of software products announced Monday that he will no longer automatically wait for a vendor to patch a flaw before he notifies the general public of the problem.

Tired of software vendors lack of responsiveness to security problems, David Litchfield, co-founder of Next Generation Security Software Ltd., in Surrey, England, said he now will simply wait one week from the time he notifies the vendor of the problem before announcing the flaw publicly in what he calls a Vendor Notification Alert.

He will not, however, release the details of the vulnerability—just the fact that it exists and any workaround information that is available.

Litchfield is well-known in the security community and has a long history of uncovering vulnerabilities, most often buffer overruns, in products from companies such as Microsoft Corp., Oracle Corp. and IBMs Lotus division.

Litchfields new approach is likely to draw fire not only from vendors but from some members of the security community who believe that no mention of a new vulnerability should be made until a patch is available. The question of when to release vulnerability data and how much to say is an age-old one.

But to date, most researchers have erred on the side of caution, opting to accept a vendors assurances that it is working on a patch and often waiting weeks or months to announce the new vulnerability.

However, Litchfield in his announcement said lately he has “noticed a lethargy and an unwillingness to patch security problems as and when they are found.”

He also criticized the decision by some vendors to wait and release several patches in roll-ups or service packs, a practice he said leads to unnecessary exposure for the vendors customers. Litchfield cited an example of a new vulnerability he has discovered in a Microsoft product, which he says the company has decided not to patch immediately.

“Microsoft has chosen to assess the risk on behalf of their customers and not produce a patch. Id rather have them produce a patch, give their customers all the relevant information about it so the customer can decide whether this vulnerability poses a threat to them or not and therefore choose to patch or not,” he said. “In the absence of a patch, though, the customers cant make this choice and are left exposed.”

Officials at Microsoft, in Redmond, Wash., were unavailable to comment.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.