Coming Clean on Patches

A security researcher's decision to expose holes has vendors scrambling.

A high-stakes battle is brewing between software developers and security researchers over when to release discovered vulnerability data and patches, and customers are caught in the cross fire.

The debate is about when researchers should alert the general public to the flaws they find. Industry protocol calls for discoveries to be kept quiet until a patch is available—usually no less than 30 days—to minimize the threat from hackers who could do damage in the interim.

That process, however, could soon change. A prominent security expert last week announced that he will give software companies just one week to patch a new vulnerability before he releases data about the flaw to the public.

Software companies decried the move, saying it will needlessly expose users to increased risk. But a new study by research company Hurwitz Group, of Framingham, Mass., found that 67 percent of CIOs and security professionals surveyed said they favored disclosure of such information immediately or within a week of its discovery. The study also showed that nearly 45 percent of respondents want to see detailed vulnerability information.

David Litchfield, co-founder of Next Generation Security Software Ltd. and author of the new policy, said the change is needed to force vendors to patch their products more quickly. According to Litchfield, software companies such as Microsoft Corp. are placing customers in harms way by electing not to patch each vulnerability immediately and instead waiting to issue fixes in roll-ups or service packs.

"Id rather have them produce a patch, give their customers all the relevant information about it so the customer can decide whether this vulnerability poses a threat to them," said Litchfield, in Surrey, England. "In the absence of the patch, though, the customer cant make this choice and is left exposed."

The reason software companies are against the accelerated notification period: "Money or avoiding embarrassment are probably the motivating factors," he said.

Nevertheless, quick disclosures of new flaws can leave customers defenseless for long periods of time.

While other security researchers said Litchfields policy could provide interesting data on the time it takes vendors to release patches, they agreed that releasing vulnerability details so quickly could do more harm than good.

"How much information do you need to partially disclose? I think the vendor and software package is fine," said Chris Wysopal, director of research and development at @Stake Inc., a security consultancy and research company in Cambridge, Mass. "But more than that and youll find people hammering away at [the vulnerability]. Thats the part I have the biggest problem with. I question whether it needs to be out there until after the issue is resolved."

Microsoft officials reject the notion the company is deliberately leaving its customers exposed and said that its inefficient and impractical for them to release a patch for every new vulnerability found in a Microsoft product.

"We dont try to hide vulnerabilities, but doing a single patch for every vulnerability isnt an efficient way to do business," said Scott Culp, manager of the Microsoft Security Response Center, in Redmond, Wash. "We could produce patches faster than users could test and implement them, which means they wouldnt patch. Without unusual circumstances, it makes a lot more sense to patch through a service pack."

Culp added that Microsoft has developed a standard that dictates that any flaw posing "a clear and present danger" to customers must be patched immediately; others can wait.

Marc Maiffret, chief hacking officer at eEye Digital Security Inc., in Aliso Viejo, Calif., whose company has identified several serious flaws in Microsoft products, said pressuring a vendor with public disclosure can work, but researchers must be careful about it.

"Every vulnerability is different and takes a different amount of time to patch," Maiffret said. "If the vendor isnt responding, it could be a good tool to motivate them, as long as you dont give enough information to create an exploit. But if people start to figure out the vulnerability through the workaround, it could cause problems."

Related stories:

  • Review: Fixes, Not Patches, Are What IT Needs
  • Loudcloud Automates Patch Management