November 12, 2004 2:10 PM PST
Finjan: Warning users or scaring up business?
In a statement that contained few details, the U.K. company claimed that the vulnerabilities could enable attackers to remotely access a victim's files, remove security measures aimed at Internet threats and run programs without any notification to the user.
Windows XP SP2 "suffers because it is still basically the same operating system and has some major flaws which compromise end-user security," Shlomo Touboul, CEO of the firm, said in statement. "By using Finjan's proactive security solutions...users can enjoy a secure environment that protects them from such vulnerabilities."
The company did not wait for Microsoft to fix the issues, as many security companies do, and used the announcement to push its own wares as a way to be protected from the threats.
While security researchers have sometimes outed flaws in Microsoft products before the software giant has published a patch, security companies have generally waited to announce vulnerabilities until Microsoft had a way to protect its customers. Finjan's press release has reopened the debate over what should be considered the responsible disclosure of software flaws.
In the latest case, Microsoft believes that Finjan's flaw reports are, in many cases, overstated or altogether mistaken, said Debby Fry Wilson, director of marketing for Microsoft's security business and technology unit.
"We do feel strongly that what they are doing is premature, will cause market confusion and is an overstatement of the breadth and severity," she said. "We are very disappointed that they are engaged in a PR ploy rather than thinking about what is best for customers and the security of customers."
However, Finjan's CEO maintained that the company is merely warning people that Windows XP Service Pack 2 is not a digital fortress fully protected from Internet attacks. He labeled the press release education, not confabulation.
"People need to know that they have to be careful--and without education, people won't be careful," Touboul said during an interview with CNET News.com. "I wouldn't say we are scaring people. I don't believe in panic but in very calculated behavior."
While Touboul did not say whether the company gave Microsoft 30 days to fix the issue, as has become the industry norm, he maintained that Finjan gave the software company enough time, and more than enough information to take care of the issues.
"We don't want to argue with Microsoft about these things," he said. "We found the 19 vulnerabilities, and we showed that you could take remote control of a computer."
However, Microsoft's Wilson took issue with Finjan's move, contending that the software giant does not agree on how many of the flaws are real. Moreover, because the security company released the issues piecemeal, the software giant argues that it is not certain that Finjan has even named 10 vulnerabilities.
"They have been contacting us over time regarding various issues," Wilson said. "But there is no definitive communications between Microsoft and Finjan about 10 specific issues."
How and when security vulnerabilities should be disclosed has long been debated in the security community. Many researchers believe that companies and individuals should publicly announce vulnerabilities after giving the software maker enough time to fix them. Usually, programmers get a month to fix the problems.
The line between marketing products and disclosing security vulnerabilities should be well-defined for security companies, said Geoff Shively, chief scientist at security company PivX Solutions.
"Being a security company, you have to consider the impact on global Internet security before doing anything," he said. PivX has released software flaw advisories and plugged its products, but the company always gives Microsoft adequate time to fix the issues, he said. "Vulnerabilities are too dangerous and too powerful to be used as a marketing tool."
Software creators are frequently angered by researchers who do not allow them much time to fix problems. A year ago, game information site GameSpy sent a legal warning to an Italian security researcher who had found holes in that company's products. In June 2002, Linux software makers became peeved at security company Internet Security Systems for not giving them enough time to fix a problem before releasing an advisory about the issue.
2 commentsJoin the conversation! Add your comment