News Stay informed about the latest enterprise technology news and product updates.

Software flaw finders can be a reckless breed

Security researchers who go public with their discoveries before telling the makers of vulnerable software are doing IT administrators more harm than good, experts say.

Independent security researchers who post their discoveries of software vulnerabilities in public forums before alerting affected software vendors are doing IT administrators more harm than good, many experts say.

The issue is attracting interest now as Windows administrators face a steady stream of vulnerabilities, and subsequent patches to fix them. There have been past attempts by industry organizations to create rules of engagement between researchers, vendors and government agencies when vulnerabilities are discovered. But for the most part, reporting to the vendor first before going public is a voluntary decision.

It's an incident like this that worries some users: On July 16, an outfit called Hexview posted to a public forum a threat that could produce a denial of service attack in Microsoft Systems Management Server clients. Hexview, which only offers anonymous contact information in

Announcing the vulnerability without a patch doesn't help anyone.

Firas Raouf, COO,

eEye Digital Security

the form of an e-mail address, said in its posting that it is not its policy to notify vendors unless "there is a prior agreement to do so." Microsoft was not notified at the time this vulnerability was posted.

Experts say such an approach is the trademark of individual researchers who hunt down vulnerabilities for the love of the challenge. In most cases, large and reputable research firms do alert vendor firsts, and they work with vendors to develop a patch. Vendors often take the lead and research firms follow up with an advisory.

"Announcing the vulnerability without a patch doesn't help anyone," said Firas Raouf, chief operating officer for eEye Digital Security, a research firm and software manufacturer based in Aliso Viejo, Calif.

Protecting critical systems

Researchers at NGSSoftware Ltd. take an even more active role in the process. They advise government agencies charged with national security responsibilities that that government infrastructure is not compromised in the time between when a flaw is discovered and when it is patched, said David Litchfield, co-founder of NGSSoftware, a U.K.-based company.

Many IT managers say they generally prefer that researchers contact vendors first, though they admit it's a moot point because it's not something that can be legislated.

"I don't think anyone can be made to do anything," said Jim Purcell, manager of IT security engineering

For more information

Learn four best practices for vulnerability management


Check out Web links on Windows security
and standards at the Tennessee Valley Authority, the Knoxville, Tenn.-based utility. "The fear in what we've seen -- if not zero-day exploits, then one- and two-day exploits -- is that vendors haven't had a chance to make a fix."

Clyde Johnson, a senior network and systems administrator at Olin Corp., in Norwalk, Conn., said that software companies should be given first notice, but only up to about eight hours. He reasoned that once a vulnerability is discovered, it's already a threat.

Johnson cited a worm in March that targeted BlackIce firewall products and spread fast. "It was there before anyone knew about it," he said.

"If the rest of the community knows about it, we can always pull the plug," Johnson said. "Of course, it always depends on what it is."

Good practices offer the best protection

Indeed, once an exploit is posted, the clock is ticking for the black hats to take advantage, said Jeff Duntemann, a Colorado Springs, Colo., author and IT expert.

The most an IT shop can do is make sure it has a suitable firewall strategy. "It takes more than existence to make an exploit exploitable," Duntemann said. "Most automated worms can't get past a good firewall."

Duntemann said the emergence of applications written using managed languages may provide some relieve from this vicious circle. He said the C# language in Microsoft's .NET Framework will provide better security than applications written in C and C++, as one example.

Managed code is like having a strong gatekeeper watching over the code's execution. The virtual machine demands certain requirements and enforces execution restrictions. "You don't have the same buffer overflow problems," he said.

This transition won't happen quickly, given the difficulty of migrating applications off of one code base and onto another. Eventually, managed code will help eliminate a whole species of exploits, Duntemann said.

Issue has long been divisive

To disclose or not to disclose has been a polarizing issue for some time, said Jeffrey Carpenter, technical manager at the Carnegie Mellon Software Engineering Institute's CERT Coordination Center.

The Computer Emergency Readiness Team (CERT), a federally funded research and development center operated by Pittsburgh's Carnegie Mellon University, analyzes vulnerabilities to determine which vendors may be impacted so they can develop patches.

Carpenter said the volume of vulnerabilities has steadily increased, doubling over the past few years. Last year there were about 4,000 vulnerabilities reported.

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.