The 20-something founder of vulnerability assessment company Immunity hunts down security problems in widely used software products. But unlike an increasing number of researchers, he does not share his findings with the makers of the programs he examines.
Last week, Immunity published an advisory highlighting four security holes in Apple Computer's Mac OS X--vulnerabilities that the security company had known about for seven months but had kept to itself and its customers instead of disclosing the problem to Apple.
What's new:
Despite pressure from Microsoft and other companies about the dissemination of security alerts, independent researchers are sticking to their own approach to flaw disclosure.
Bottom line:
The debate about when and how to inform people about security risks is causing fractures in the industry.
"I don't believe that anyone has an obligation to do quality control for another company," Aitel said. "If you find out some information, we believe you should be able to use that information as you wish."
Despite efforts from Microsoft and other companies to direct how and when security alerts are sent out, independent researchers like Aitel are sticking to their own vision of flaw disclosure.
For them, software companies have become too comfortable in dealing with vulnerabilities--a situation that has resulted in longer times between the discovery of security holes and the release of patches.
At the heart of the issue is the software industry push for "responsible" disclosure, which calls on researchers to delay the announcement of security holes so that manufacturers have time to patch them. That way, people who use flawed products are protected from attack, the argument goes. But the approach also has benefits for software makers, a security expert pointed out.
"As long as the public doesn't know the flaws are there, why spend the money to fix them quickly?" said Bruce Schneier, chief technology officer at Counterpane Internet Security, a network monitoring company. "Only full disclosure keeps the vendors honest."
The debate over how open the discussion of flaws should be is not a new one. The locksmith community has been talking over the issue for more than a century and a half, and it still has failed to find consensus.
Matt Blaze, a computer science professor at the University of Pennsylvania, has seen firsthand the ire that the issue can raise. Blaze has studied how security threats in the logical world compare to problems with physical locks in the real world. His papers have revealed weaknesses in locks that some professional locksmiths would have liked to keep secret.
""We, as professionals in the security field, are outraged and concerned with the damage that the spread of this sensitive information will cause to security and to our profession," a person claiming to be a retired locksmith wrote in a bulletin board posting about Blaze's work.
That reaction is nothing new, Blaze found. Locksmiths have always been close-mouthed about the weaknesses of locks and, as far back as the mid-19th century, an inventor of mechanical locks found it necessary to defend himself when he published details of such flaws.
"Rogues knew a good deal about lock picking long before locksmiths discussed it among themselves, as they have lately done," Alfred C. Hobbs wrote in a book published in 1853, according to Blaze's site. The author also wrote:
"If a lock, let it have been made in whatever country or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance."
In the past, many hackers and security researchers outed glitches without much thought of the impact on Internet users. Microsoft, among others, changed this. As part of its 3-year-old "Trustworthy Computing" initiative to tame security problems in its software, the company began an outreach program to support the work of the security community. At the same time, it started chastising those researchers who, it believed, released details of flaws too early.
Balance of power?
The result is a tradeoff between security researchers and software businesses that is supposed to benefit product users.
Apple, for example, keeps the work of its security team wrapped in secrecy and issues patches approximately every month. Microsoft has moved to a strict second-Tuesday-of-each-month patch-release schedule, unless a flaw arises that poses a critical threat to customers' systems. Database maker Oracle has settled on a quarterly schedule.
"We think it is in the best interest of our customers," said Kevin Kean, director of Microsoft's security response center. "A large portion of the research community agrees with us and works with us in a responsible way."
But some security researchers believe the tradeoff is benefiting companies too much, as it allows them to tweak their patching processes at their convenience, and without the need to introduce fixes disturbing the progress of software development. That adds up to a lax attitude to security, some experts believe.
For example, eEye Digital Security abides by Microsoft's responsible disclosure guidelines, but posts the length of time since it reported a vulnerability to the software giant on a special page on its Web site. The top-rated flaw on the company's Web site was first reported to Microsoft almost six months ago.
The detente also makes manufacturers look good in terms of the lag between the public warning of a flaw and the release of a patch. For example, a year-old study by Forrester Research gave a nod to Microsoft
See more CNET content tagged:
security hole, lock, researcher, security alert, software company
software products. That's no different than independent testing
and reporting done on other types of products, such as
Consumers Reports does. Microsoft and Apple, in particular,
enjoy very cozy relations with an army of media sycophants. The
survival of many a web site and magazine, depends on not
alienating those companies, which are able to manipulate the
news about their companies adroitly. Naturally Gates and Jobs
take great offense at being treated as mere mortals who produce
products with flaws.
Speaking of flaws, I find one in this article:
"Last week, Immunity published an advisory highlighting four
security holes in Apple Computer's Mac OS X--vulnerabilities
that the company had known about for seven months but had
kept to itself and its customers."
Apple didn't share the information with its customers in general,
but possibly with a very few customers, although the writer of
this article offers no evidence of such. Apple certainly didn't this
customer a message about the flaws. If it had shared the
vulnerabilities with its customers, there would have been no
reason for the information to be made public by Immunity.
Millions of Apple customers would hardly have conspired to
keep the flaws a secret.
one but its paying customers. Then Immunity went public with
the vulnerabilities. Apple did not find out about the
vulnerabilities until Immunity went public with the information.
This is totally irresponsible of Immunity. Period.
I support a company's right to use its information for its own
good. It was (and is) fine for immunity to find flaws and then tell
only its own paying customers for a finite period of time. This is
how companies make money and keep existing.
However, going directly from keeping to itself and only its
paying customers to going public with the information is
irresponsible. The crackers and Apple found out the information
at the same time. A dedicated cracker team MIGHT have found a
way to crack many, many Macs before Apple got out a fix. This
has had the potential of endangering the data of many people
and businesses. (Apple just yesterday issued a secutiy patch so
it may have responded first.)
The responsible way to handle it is simple:
The finder uses the information for his own benefit for a finite
period of time (say 60-90 days).
The finder tells the sofware developer a finite period before
going public (say another 60-90 days).
The finder goes public with the flaw if the software developer
has not already done so.
When the flaw goes public (either by the software developer or
the finder) the finder is specifically mentioned as having found
the flaw first.
This way everyone wins. The flaw finder gets benefit from his/
her efforts. The software developer gets a head start on the
crackers. The public is guaranteed to find out about the flaw so
the software developer has absolutely no ability to just "sit on"
the flaw and do nothing.
Security flaws should be disclosed so people are aware and can act accordingly. The flaws shouldn't be there to begin with, but companies short-shrift the quality control process to push *crap* out the door. It's about chasing dollars, not a quality product.
They need the pressure applied.
One thing the article lacks at disclosing is, "How critical is the security hole?" As for Apple, they may have known about the proplems for a while, but if the hole is small with little or no risk of exploitation, why fix it immediately when you can work on a broad solution to fix many problems at once?
While no OS is completely without problems, Apple does enjoy a great deal of freedom from the majority of the problems that effect Microsoft. This gives Apple more room to withold updates so that it can focus resources on a more critical area.
Microsoft on the other hand continues to suffer a loosing battle on many fronts, especially with the average user which has little knowledge on how to stop adware/spyware/viruses. They do not enjoy any room to manuver resources if a hole is discovered as they are expected to fix all of the problems...now. This has to do with the large and un-technical population as well as the past and current problems that continue to plague the Windows environment. Plus, they have much more in terms of resources to throw at the problem, and they should.
Maybe I should send them a bill for the countless hours I have spent to fix my associates computers due to a lack of oversight in creating a more robust system, out of the box.
Many folks are stockholders and bad news, even if its non-credible or insignificant, can hurt everyone. Extortion comes to mind.
Heck, we can't even get gov agencies to cooperate and fix holes. You think Microsoft will jump everytime a pipsqueak yells "sky is falling" so that they make a buck?
Non-profit, supportive folks aren't out for financial gain- they want problems fixed.
But this Immunity company is spinning "known but under-control" flaws. And why Apple? because its gaining in market? Its profitable and shares quadrupled in value since last year? I smell a tick...
To deliver a flawless product, you need lots of development time and money which typically means higher costs for the end user and delaying the use of technology that may become outdated by the time it is delivered.
Some consumers are content with purchasing flawed software provided that the economics are correct and the flaws will be fixed when they are found. That is, if the flaws are worth the cost savings to the consumer for having immediate gratification from the immediate availability of the software. In modern times, as speed and availability become the critical cornerstone in outbidding your competitors, some consumers find that a satisfactory compromise.
rather than Apple. I stand corrected.
publicized security attack that is successful, so it should be
more attuned to vulnerabilities. A large airline might survive a
fatal crash, but a small one would almost surely be done in by
such a calamity. It is very hard to predict the impact of a security
hole. An enterprising cretin might find a way to turn what seems
small into a very large problem, indeed.
IMHO Companies should be given a 30 days lead time to diagnose, fix and most importantly test the fix before the vulnerability is publicly disclosed.
If the vulnerability is disclosed publicly first you have a race between the bad guys trying to exploit it and the vendor trying to fix it, with the inevitble result being more successful exploits as well as buggy patches being released without proper testing.
Which leads to a related issue, the MS once a month patch schedule was created primarily to reduce the load for IT departments so they weren't statying late installing patches 6 times a month. With immediate public disclosure it would be even worse, as every patch would need to be loaded immediately as it is released, some patches would need to be loaded and then the patches to those patches.
While Apple shouldn't have sat on a vulnerability for 7 months the answer isn't letting vendors know at the same time you are letting the virus/worm writers.
p.s. I didn't feel like doing the reasearch but IIRC the industries "responsible disclosure" program calls for something like this, were there is advance notice on a vulnerability but the vendor is free to disclose publicly after a period of time whether or not the vendor has released a patch.
still for 7 months, the security team who found the
vulnerabilities (in BSD, not OS X directly) didn't tell Apple for 7
months! The writer's english seems to have confused this issue.
Sincerely,
Gregory D. MELLOTT
How long, do you think, before the company is sued out of existance because they released information on a security hole thats used to exploit a company's network? Or before they erroneously release a report on a security release that is non-existant, and have to deal legally with the vendor?
And how exactly do these companies make money, anyways?
If not for people finding and making them public, crap like windows would be even more insecure. Now that is a scary thought.
Sincerely,
Gregory D. MELLOTT
- Another interesting story by Robert Lemos
- by n3td3v January 29, 2005 6:15 PM PST
- Well done :-) I even put it on my security list. Keep up the good work!
- Reply to this comment
-
(23 Comments)googlegroups / group / n3td3v