Criticism Flies After MS Flaw Disclosure
Highlighting a growing concern in the tech industry regarding proper methods of making security vulnerabilities public, a senior analyst with Yankee Group has criticized security firms Secunia and HexView – the two companies responsible for the disclosure of the most recent flaw in Microsoft's software.
According to HexView, the company alerted Microsoft to the problem on March 30; however, it never received any response from Redmond officials. It decided to make the issue public via a mailing list the next day. Secunia later published an advisory on the issue this Wednesday, which involved Microsoft's Access database that comes with Office.
Microsoft, however, denies ever hearing from either HexView or Secunia regarding the issue.
"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed," a Microsoft spokesperson said.
Secunia has come under fire in recent months for its rapid-fire public disclosures of security flaws. It has also been accused of hyping issues that, in most cases, do not pose a serious threat. "I think Secunia is overplaying this issue a bit," Yankee Group senior analyst Andrew Jaquith told BetaNews. "I don't think [the database flaw] is a serious issue."
Asked for comment, Secunia strongly reubutted Jaquith's statement, as well as criticism from the public. "We have no interest in hyping vulnerabilities, as it could damage our credibility," Thomas Kristensen, CTO of Secunia, told BetaNews. "Those who believe that we hype issues, probably haven't read our critical rating definitions or they don't properly understand the possible consequences and attack vectors of a given vulnerability."
Yankee Group's Jaquith continued by saying HexView acted "badly" by not giving Microsoft enough time to respond before making the issue public, and went against its own policy by publishing details on a "high"-rated vulnerability.
"That is extremely unhelpful to customers, because it doesn't give the vendor adequate time to issue a patch, and it gives the bad guys a window of vulnerability to exploit," Jaquith explained.
Ryan Naraine, security reporter for Ziff Davis, commented that, "With the big Sasser and Blaster attacks, it was the premature release of information that caused those. That alone says the release of critical information without a patch should never happen."
HexView corrected Jaquith by saying its policy is to notify the public 24 hours after contact with the company if no response is received, unless it is a "critical" flaw. According to HexView, all it received was an automated "thank you" message from Microsoft. The group said that they "think through that we should let people know about the problem in case the vendor does not want to cooperate."
A HexView representative noted that public disclosure of security flaws has put software makers on overdrive to release new patches. "It takes months before vendors make patch available for the problem that is not published, and it takes days -- or even hours -- to release the same patch when vulnerability details are publicly available," the representative said.
"Microsoft has done a much better job recently to work with private researchers and it's fair to expect the guys who find flaws to be responsible about how the information is released," added Naraine. "That said, some vendors are notorious for ignoring warnings and delaying fixes for months."