When to Shed Light

Current disclosure environment raises questions.

Until recently, software security vulnerabilities were discovered mostly by chance and by developers, security specialists or other professionals. Once the flaw was discovered, news about it spread slowly and typically by word of mouth on bulletin boards or perhaps the occasional security lecture.

The huge network of security researchers—independent or otherwise—who race to find the next big vulnerability in Windows or Apache, for example, is a recent phenomenon.

So, too, are the overlapping and interconnected mailing lists on which the researchers publish their vulnerability bulletins. Lists such as BugTraq and Full Disclosure were founded to give administrators and other IT professionals a place to get early information on developing software problems.

But the amount of publicity and attention security has commanded in recent years has brought new, less experienced and less disciplined people into the security community. This, in turn, has led to vulnerability reports being published before patches are available, bulletins being stolen from researchers computers and posted without their knowledge, and a litany of other problems.

This chaos has led some in the community to question whether vulnerability research and disclosure, in its current form, does more harm than good. One side of the debate argues that because there is essentially an infinite number of potential vulnerabilities in software, finding and fixing a handful every year has no effect on the overall security landscape. On the other hand, since disclosing a vulnerability to the public means that good guys and bad guys alike get the information, disclosure can actually cause a great deal of damage.

"The point is not to say that these folks dont have the right to disclose anything they want—of course, they do. In fact, we must assume that, in general, people are finding vulnerabilities and not disclosing them and [that] they can be used against us," said Pete Lindstrom, research director at Spire Security LLC, in Malvern, Pa. "The point is to demonstrate that those folks that say full disclosure is in some way good for us are actually doing more harm than good. Just think how much better our security might be if the highly skilled people who spend all day, every day, searching for vulnerabilities in software would try to design a security solution."

Other disclosure opponents cite behavioral problems. First, studies and anecdotal evidence have shown that people are slow to apply patches for vulnerabilities, even when the flaw is a high-risk one. A prime example of this is the flaw in Microsoft Corp.s SQL Server 2000 software that became the breeding ground for the Slammer worm. Microsoft issued a patch for the vulnerability in July 2002, warning customers that anyone who exploited the problem would be able to run code on compromised machines.

Six months later, in January of this year, the Slammer worm tore through the Internet, infecting hundreds of thousands of unpatched machines in less than 15 minutes.

Second, attackers rarely, if ever, attack networks by using vulnerabilities that are unknown to the security community. With so many documented, unpatched flaws out there, why bother finding your own?

However, the most-often-repeated counter to these arguments is that disclosing vulnerabilities crackers may already be exploiting gives administrators a chance to catch up and patch their systems. In other words, it is always better to know than to be in the dark.

"Lets not kid ourselves. The bad guys are looking for security bugs, too, and when they find them, they keep the new holes to themselves. They can go around taking over machines at will," said David Litchfield, co-founder of Next Generation Security Software Ltd., in Surrey, England, and a prominent security researcher. "At least with the good guys finding bugs and working with the vendor to get out patches, the battle is somewhat more balanced. Finding new bugs is a considerably harder task than it was a year ago. All the low-hanging fruit, so to speak, has already been plucked. This is a good thing. The bad guys have to invest much more time and resource into finding their new secret hole, and the chances of finding something are reduced."