Patch or No, Flaws to Go Public

A security researcher well-known for finding dozens of vulnerabilities in all manner of software products announced Monday that he will no longer automatically wait for a vendor to patch a flaw before he notifies the general public of the problem.

Tired of software vendors lack of responsiveness to security problems, David Litchfield, co-founder of Next Generation Security Software Ltd., in Surrey, England, said he now will simply wait one week from the time he notifies the vendor of the problem before announcing the flaw publicly in what he calls a Vendor Notification Alert.

He will not, however, release the details of the vulnerability—just the fact that it exists and any workaround information that is available.

Litchfield is well-known in the security community and has a long history of uncovering vulnerabilities, most often buffer overruns, in products from companies such as Microsoft Corp., Oracle Corp. and IBMs Lotus division.

Litchfields new approach is likely to draw fire not only from vendors but from some members of the security community who believe that no mention of a new vulnerability should be made until a patch is available. The question of when to release vulnerability data and how much to say is an age-old one.

But to date, most researchers have erred on the side of caution, opting to accept a vendors assurances that it is working on a patch and often waiting weeks or months to announce the new vulnerability.

However, Litchfield in his announcement said lately he has “noticed a lethargy and an unwillingness to patch security problems as and when they are found.”

He also criticized the decision by some vendors to wait and release several patches in roll-ups or service packs, a practice he said leads to unnecessary exposure for the vendors customers. Litchfield cited an example of a new vulnerability he has discovered in a Microsoft product, which he says the company has decided not to patch immediately.

“Microsoft has chosen to assess the risk on behalf of their customers and not produce a patch. Id rather have them produce a patch, give their customers all the relevant information about it so the customer can decide whether this vulnerability poses a threat to them or not and therefore choose to patch or not,” he said. “In the absence of a patch, though, the customers cant make this choice and are left exposed.”

Officials at Microsoft, in Redmond, Wash., were unavailable to comment.