The Fear Industry - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Feature
News
4/13/2006
02:30 PM
50%
50%

The Fear Industry

Shameless self-promoters? Fear mongerers? Sure, security researchers aren't always model citizens, but business technology pros want them on the job.

The brow-beating by security researchers did have one practical effect. Criticized for not patching the WMF vulnerability fast enough, Microsoft was compelled to issue a WMF security patch five days ahead of its normally scheduled "Patch Tuesday" security download. Before the early release, Microsoft had said it wouldn't issue an emergency patch because the vulnerability's infection rates had stabilized, the risk of infection was generally seen as low to moderate, and the company needed more time to properly test its patch. The widespread endorsement of Guilfanov's work changed the equation, especially once reports began rolling in that malware was already being written to exacerbate the WMF problem.

Beyond Microsoft

Given the sensitive information these researchers traffic in, there's really only one rule for them to follow: responsible disclosure. This refers to giving software makers a chance to patch their products and users time to patch their systems before disclosing details about a vulnerability. Microsoft and many other vendors have E-mail addresses that researchers can use to report their findings.

But researchers know that there's a lot more attention to be had and money to be made by going straight to the Internet with information about vulnerabilities and so-called proof-of-concept exploit code that some hackers say is necessary to convince vendors of the urgency of fixing software bugs. This code also provides a malware template for less experienced hackers.

Microsoft isn't the only vendor on which the research community keeps a close eye. Apple's Mac iChat instant messaging service was hit in February by the OSX/Leap.a Trojan after an unknown user posted a link to this malware from the MacRumors.com site. Oracle likewise has a following of vulnerability hunters, who caused a stir around the company's January critical patch update by openly discussing flaws in its software and publishing controversial workaround code.

And don't forget Cisco Systems nemesis Michael Lynn, the former Internet Security Systems researcher who now works for Cisco competitor Juniper Networks. Lynn's July 2005 Black Hat conference presentation proved hackers could break into Cisco's Internetwork Operating System and take control of a company's network traffic. That presentation, more than any other software flaw "outing," put the spotlight on software security analyst practices. Lynn, who did his research on IOS as a member of ISS's X-force research arm, infuriated Cisco, which accused him of making its customers' networks more vulnerable. Lynn claimed that he was simply alerting Cisco customers that the unthinkable, a malicious hack into IOS, was possible.

Loose Lips ...

WMF isn't the only run-in Microsoft has had this year with overly ambitious researchers. More recently, Andreas Sandblad, a researcher for Secunia Research, a company that exists solely to find and report software vulnerabilities, discovered a flaw in Internet Explorer that let attackers exploit an error in the Web browser's processing of the "createTextRange()" JavaScript method call that let hackers install keystroke loggers and other malicious software. Secunia discretely warned Microsoft of the problem. However, Microsoft says another researcher publicly posted a warning about the vulnerability before notifying Microsoft, which issued its advisory days later. Microsoft decided to wait until its regularly scheduled April 11 Patch Tuesday to fix the problem, opening the door for another research firm, eEye Digital Security, to issue a patch, though it consulted with Microsoft first.

Just a few days prior to the createTextRange bug's debut, Dutch programmer Jeffrey van der Stad alerted Microsoft to an IE problem related to the way the browser processes HTML applications, or HTA files. Van der Stad had published detailed information about the vulnerability on his Web site but later pared back the information at Microsoft's request.



We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
2 of 6
Next
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Commentary
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
News
What's Next: AI and Data Trends for 2020 and Beyond
Jessica Davis, Senior Editor, Enterprise Apps,  12/30/2019
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll