A vulnerability in Microsoft Corp.s Windows first identified in May—but only now receiving widespread attention—has reopened the contentious debate between security researchers and software vendors over the proper method and time frame for disclosing security flaws.
Few topics cause as much hand-wringing and heartburn as full disclosure. Simply mentioning the subject in some circles can generate the kind of quasi-religious zeal and partisan rhetoric normally reserved for discussions about gun control or nuclear proliferation. Indeed, some participants in the debate see the early release of vulnerability information as roughly analogous to handing loaded guns to gangs of trigger-happy juvenile delinquents.
Improving the patch-handling process has been a key part of Microsoft Chairman and Chief Software Architect Bill Gates Trustworthy Computing push.
The debate has taken twists and turns over the years but almost always comes down to the question of whether releasing details about flaws before patches are ready serves any legitimate purpose. Software vendors, of course, argue that such practices are the height of irresponsibility and serve only to give crackers a road map for compromising unprotected systems.
Some researchers agree, while others say publishing early vulnerability reports can give administrators a head start on locking down vulnerable machines. And, they argue, if a flaw is already known in the cracker community, its best to get the information into the hands of the good guys as well. Nearly all well-known research organizations, including Next Generation Security Software Ltd., eEye Digital Security, @Stake Inc., PivX Solutions Inc., Immunity Inc. and others, generally follow a policy of notifying vendors of their findings and then waiting until a patch is ready before publishing an advisory on the vulnerability.
Next Page: Details Trickle Out
Details Trickle Out
But thats not always the case. Last month, researchers at Core Security Technologies and Immunity each released advisories about a remotely exploitable flaw in the WINS (Windows Internet Naming Service) system in many versions of Windows. WINS is an internal system for naming machines on a network, somewhat akin to the Internets DNS (Domain Name System). Researchers have known about a vulnerability in the service since May, when some rough details about the problem were published.
Many security organizations did their own auditing of WINS and found the flaw themselves after the first notice came out and then built exploits for it. But it was not until Thanksgiving, when Core released its advisory, that the problem became widely known. Immunity followed up the next day with its advisory, which was detailed and included instructions on how to exploit the vulnerability.
Neither bulletin appeared in any of the popular online summaries of security activity during the Thanksgiving weekend, leading some in the security community to accuse Microsoft of pressuring watchdog groups such as The SANS Institute and US-CERT to keep the issue quiet. Microsoft officials said “in no way whatsoever could that possibly be true.”
Although the flaw was disclosed in May, Microsoft just published technical guidance on the problem last week and has not yet produced a patch, a fact that has some researchers questioning the Redmond, Wash., companys commitment to security. “How long have they really known about this? It was disclosed in May. Did Microsoft find it and pretend no one knew about it?” asked Dave Aitel, CEO of Immunity, based in New York. “Its been exploited since May. Any large organization will be running [WINS]. Our exploit is a perfectly reliable remote root.”
Microsoft officials said that the original May report of the WINS vulnerability was “very fragmented and not very detailed” and that another researcher brought the company a detailed report a few weeks later. Microsoft has been working on a fix for the flaw since then, but there is no specific timeline for its release. Officials added that researchers releasing vulnerability reports before fixes are ready makes the patching process harder.
“Our drive is to make sure the update doesnt introduce new vulnerabilities. We have to focus on quality because we cant just give you an update that breaks your infrastructure, because then you wont trust updates from us again,” said Stephen Toulouse, security program manager at the Microsoft Security Response Center.