MOUNTAIN VIEW, Calif.–Claiming that the wanton posting of security information online is empowering hackers and hurting consumers, Microsoft Corp. is crafting a plan that would restrict the number of people privy to security vulnerability data.
Under the terms of the proposal circulated, which began as an online essay by Microsoft Security Response Center Manager Scott Culp, a small vulnerability-handling group would be required to observe a 30-day grace period during which they could not disclose any details about a new flaw that could aid attackers.
There would be a standard manner for dealing with the researchers who discover the vulnerabilities as well as a prescribed way of writing bulletins to inform the general public of the problem once a fix was in place. There would also be restrictions on the kinds of tools members could develop to test for vulnerabilities and with whom they can share those tools, Microsoft officials said.
Though the plan was well-received at the companys Trusted Computing forum here last week, it drew fire from some who said the proposal is nothing more than a ploy to cover up the Redmond, Wash., software makers security gaffes. In addition, they said the plan could be used to circumvent parts of the companys recent antitrust settlement with the Department of Justice.
“You cant trust what they say,” said Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., in Cupertino, Calif., speaking of Microsoft. “Im sort of sympathetic, but for them, the less people know about the security of their products, the better. Theyre bad at security.”
Opponents of the Microsoft-DOJ deal last week openly speculated that Microsoft might be able to use the closed security group to limit the exchange of technical information to a few chosen partners, thus circumventing parts of the settlement that call for technology exchanges to ensure interoperability.
Microsoft officials vehemently denied the charges and said such an effort would fail before it ever got off the ground. “Thats absolutely untrue,” Culp said. “We have no designs for a closed process. We know two things: Theres a problem, and we dont have an answer.”
Microsofts standards effort is in its infancy. The process of forming a group to discuss a standard has yet to begin, and Culp said he has no way of knowing how long the development effort could take.
He also said Microsofts plan is to spark an industrywide discussion about vulnerability reporting and eventually develop a standard. “It has to be more than Microsoft,” said Chris Klaus, founder and CTO of Internet Security Systems Inc., in Atlanta. “It has to be all of the major software vendors as well as security companies.”
Two other criticisms of the proposal are the lack of incentive for other vendors to participate and the vague outline of the plan. One natural form for the effort to take is that of an Internet Engineering Task Force RFC (Request for Comment), but that would be a waste of time, critics say.
“Reporting is essential, if its done with responsibility being accepted by all parties,” said Russ Cooper, surgeon general of TruSecure Corp., in Herndon, Va. “[But] small vendors are never going to be able to do whatever the big boys can. So an RFC is dumb if it tries to state that some small vendor has to do things they just arent capable of doing.”
Microsoft officials acknowledged that the plan will have problems but said that, ultimately, most of them will be solvable.
BindView Corp., Guardent Inc., Foundstone Inc. and @Stake Inc. voiced immediate support for the Microsoft plan and said they will start following the new guidelines.
