3 min read

Mum's Not The Word

Security pros want disclosure of new bugs sooner rather than later.
On May 23, Georgi Guninski informed Microsoft about a security flaw he discovered in the way Excel XP handles XML stylesheets--a vulnerability that hackers could use to gain control of a computer. The next day, the independent security consultant posted the finding on his Web site and on BugTraq, a security mailing list.

Researchers and consultants discover software vulnerabilities daily. Some work with vendors and don't disclose their findings until the vendor has validated the problem and developed a patch. The way Guninski handled the alert may place businesses at greater risk of being attacked or cause unnecessary confusion and apprehension if the security advisory is incorrect, Microsoft says. "We're not in favor of things that make it easier for the bad guys to break into our customers' systems," says Steve Lipner, director of security assurance at Microsoft.

Business-technology managers may not be in lockstep with Microsoft's position. They want newly discovered software vulnerabilities disclosed as soon as possible. Hurwitz Group recently asked 313 security professionals how soon they want software vulnerabilities disclosed. Thirty-nine percent said immediately, and 28% said within one week of discovery. What's more, 44% said they believe disclosure is the only way to get software companies to write secure applications.

chart"Customers have no faith in software vendors voluntarily working harder at security, and they think forcing vendors to respond to specific, well-publicized vulnerabilities is the only way to get them to secure their software," says Pete Lindstrom, Hurwitz's director of security strategies.

That rings true for many users. "I'm for full disclosure," says Herb Mattord, adjunct professor of information security at Kennesaw State University in Georgia and former security manager at Georgia-Pacific Corp. Software vendors, including Microsoft, have a history of dragging their feet when dealing with software vulnerabilities discovered in their apps, Mattord says. "Everyone has had enough of this."

Keeping security holes quiet doesn't ensure that others won't find them or haven't already, warns James Finn, an ethical hacker and principal of worldwide enterprise security for Unisys' consulting practice. "You can't put your head in the sand when it comes to security," he says. "Knowledge is the best thing."

Only 13% of the survey's respondents said disclosure makes it too easy for hackers to move into action, while 37% said hackers are already aware of the flaws and public disclosure helps companies better protect their systems. Only 12% said disclosure should be delayed until a patch is available.

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Jessica Davis, Senior Editor
Richard Pallardy, Freelance Writer
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Carlo Massimo, Contributing Writer
Salvatore Salamone, Managing Editor, Network Computing