The debate over responsible disclosure of security flaw warnings has erupted again, with Microsoft chiding a private research firm for releasing information on 10 new flaws found in the Windows XP SP2 (Service Pack 2) operating system.
San Jose, Calif.-based Finjan Software released an alert warning that attackers could “silently and remotely” hijack SP2 machines because of “major flaws” that compromise end-user security.
Finjan chief executive Shlomo Touboul told eWEEK.com that full technical details of the vulnerabilities—including proof-of-concept code—were given to Microsoft, but the software giant reacted sharply by suggesting that the Finjan warning is overblown.
“Our early analysis indicates that Finjans claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2,” a Microsoft spokesperson said.
“Once Microsoft concludes investigating Finjans claims and if Microsoft finds any valid vulnerability in Windows XP SP2, it will take immediate and appropriate action to help protect customers,” she added.
According to Finjan, the flaws are so serious that XP SP2 users are at risk if they simply browse a Web page. The holes also could be exploited to allow malicious hackers to remotely access users local files or to switch between Internet Explorer Security Zones to obtain rights of local zone.
The research outfit also claims that it discovered a bug in the notification mechanism built into XP SP2 to warn users when executable files are being downloaded. Finjan claims it has already proven to Microsoft that hackers can bypass the mechanism to inject arbitrary code without any warning or notification.
When told that Microsoft was discounting the severity of his companys claims, Finjans Touboul lashed back: “These are not theoretical assumptions. These findings are based on code implementing each and every one of those 10 vulnerabilities.”
Microsoft said it would continue investigating Finjans claims to confirm valid vulnerability claims before rolling out possible fixes.
“[We encourage] Finjan to abide by the principles of responsible disclosure and to decline to provide further comment or details on the alleged vulnerabilities until Microsoft is able to complete its investigation and can respond properly to protect customers,” the spokesperson said.
The back-and-forth between Microsoft and Finjan highlights the need for an acceptable protocol for cooperation between independent researchers and software vendors, said Gerhard Eschelbeck, chief technology officer of vulnerability management consulting firm Qualys.
“Im a big supporter of disclosing the required information at the appropriate time, and thats usually when a patch is available. In this case, you have to question the spirit of releasing information when the vendor is still doing investigations,” Eschelbeck said.
Finjan insists that it did nothing out of the ordinary. “We provided full disclosure and technical details only to the vendor. No technical details or proof-of-concept code are ever published. The information we put out is basic in nature to help people to protect themselves,” Touboul said.
Rick Fleming, chief technology officer of Texas-based Digital Defense Inc., said a good rule of thumb is to give a vendor 30 to 60 days to create and test software patches before releasing information.
“In a perfect world, the two sides should work together on a patch and coordinate the release of information when the fix is ready. That happens in many cases, but unfortunately, like in this case, its still a problem,” Fleming said.
Fleming said he believes software vendors also must take some of the blame. “Some vendors drag their feet when security issues are brought to their attention. Thats a fact, and thats a legitimate gripe among researchers.”
In many cases, independent flaw finders work only for the recognition of their peers, and they revel in the publicity generated from finding significant vulnerabilities. “There is competition among security researchers. Being able to say Ive looked at SP2 and found a serious file-handling problem that presents a major risk is a big deal for a researcher,” Fleming said.
Qualys CTO Eschelbeck said a big disconnect happens when distrust exists between a researcher and a vendor. “At the end of the day, responsible disclosure should always be in the interest of the end-user. If any element of disclosure puts the end-user at risk, thats irresponsible.”
Marty Lindner, team leader for incident handling at the federally funded CERT Coordination Center (CERT/CC), said he believes the vulnerability disclosure problem is exacerbated by the fact that research firms all have different policies.
“It becomes a philosophical question. On one extreme, you have the guys who favor full disclosure, against those who dont want to tell anyone anything, and thats the other extreme.”
Lindner said CERT/CC publishes its disclosure policy to publicly highlight the way flaw warnings are handled. It calls for all reported vulnerabilities to be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors.
“Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure,” according to the CERT/CC vulnerability disclosure policy.
Lindner said affected vendors are notified of the centers publication plans and, in some cases, alternate publication schedules with the affected vendors are negotiated.