Independent security researchers who post their discoveries of software vulnerabilities in public forums before alerting affected software vendors are doing IT administrators more harm than good, many experts say.
The issue is attracting interest now as Windows administrators face a steady stream of vulnerabilities, and subsequent patches to fix them. There have been past attempts by industry organizations to create rules of engagement between researchers, vendors and government agencies when vulnerabilities are discovered. But for the most part, reporting to the vendor first before going public is a voluntary decision.
It's an incident like this that worries some users: On July 16, an outfit called Hexview posted to a public forum a threat that could produce a denial of service attack in Microsoft Systems Management Server clients. Hexview, which only offers anonymous contact information in
Experts say such an approach is the trademark of individual researchers who hunt down vulnerabilities for the love of the challenge. In most cases, large and reputable research firms do alert vendor firsts, and they work with vendors to develop a patch. Vendors often take the lead and research firms follow up with an advisory.
"Announcing the vulnerability without a patch doesn't help anyone," said Firas Raouf, chief operating officer for eEye Digital Security, a research firm and software manufacturer based in Aliso Viejo, Calif.
Protecting critical systems
Researchers at NGSSoftware Ltd. take an even more active role in the process. They advise government agencies charged with national security responsibilities that that government infrastructure is not compromised in the time between when a flaw is discovered and when it is patched, said David Litchfield, co-founder of NGSSoftware, a U.K.-based company.
Many IT managers say they generally prefer that researchers contact vendors first, though they admit it's a moot point because it's not something that can be legislated.
"I don't think anyone can be made to do anything," said Jim Purcell, manager of IT security engineering
Clyde Johnson, a senior network and systems administrator at Olin Corp., in Norwalk, Conn., said that software companies should be given first notice, but only up to about eight hours. He reasoned that once a vulnerability is discovered, it's already a threat.
Johnson cited a worm in March that targeted BlackIce firewall products and spread fast. "It was there before anyone knew about it," he said.
"If the rest of the community knows about it, we can always pull the plug," Johnson said. "Of course, it always depends on what it is."
Good practices offer the best protection
Indeed, once an exploit is posted, the clock is ticking for the black hats to take advantage, said Jeff Duntemann, a Colorado Springs, Colo., author and IT expert.
The most an IT shop can do is make sure it has a suitable firewall strategy. "It takes more than existence to make an exploit exploitable," Duntemann said. "Most automated worms can't get past a good firewall."
Duntemann said the emergence of applications written using managed languages may provide some relieve from this vicious circle. He said the C# language in Microsoft's .NET Framework will provide better security than applications written in C and C++, as one example.
Managed code is like having a strong gatekeeper watching over the code's execution. The virtual machine demands certain requirements and enforces execution restrictions. "You don't have the same buffer overflow problems," he said.
This transition won't happen quickly, given the difficulty of migrating applications off of one code base and onto another. Eventually, managed code will help eliminate a whole species of exploits, Duntemann said.
Issue has long been divisive
To disclose or not to disclose has been a polarizing issue for some time, said Jeffrey Carpenter, technical manager at the Carnegie Mellon Software Engineering Institute's CERT Coordination Center.
The Computer Emergency Readiness Team (CERT), a federally funded research and development center operated by Pittsburgh's Carnegie Mellon University, analyzes vulnerabilities to determine which vendors may be impacted so they can develop patches.
Carpenter said the volume of vulnerabilities has steadily increased, doubling over the past few years. Last year there were about 4,000 vulnerabilities reported.