The Fear Industry - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:30 PM

The Fear Industry

Shameless self-promoters? Fear mongerers? Sure, security researchers aren't always model citizens, but business technology pros want them on the job.

The brow-beating by security researchers did have one practical effect. Criticized for not patching the WMF vulnerability fast enough, Microsoft was compelled to issue a WMF security patch five days ahead of its normally scheduled "Patch Tuesday" security download. Before the early release, Microsoft had said it wouldn't issue an emergency patch because the vulnerability's infection rates had stabilized, the risk of infection was generally seen as low to moderate, and the company needed more time to properly test its patch. The widespread endorsement of Guilfanov's work changed the equation, especially once reports began rolling in that malware was already being written to exacerbate the WMF problem.

Beyond Microsoft

Given the sensitive information these researchers traffic in, there's really only one rule for them to follow: responsible disclosure. This refers to giving software makers a chance to patch their products and users time to patch their systems before disclosing details about a vulnerability. Microsoft and many other vendors have E-mail addresses that researchers can use to report their findings.

But researchers know that there's a lot more attention to be had and money to be made by going straight to the Internet with information about vulnerabilities and so-called proof-of-concept exploit code that some hackers say is necessary to convince vendors of the urgency of fixing software bugs. This code also provides a malware template for less experienced hackers.

Microsoft isn't the only vendor on which the research community keeps a close eye. Apple's Mac iChat instant messaging service was hit in February by the OSX/Leap.a Trojan after an unknown user posted a link to this malware from the site. Oracle likewise has a following of vulnerability hunters, who caused a stir around the company's January critical patch update by openly discussing flaws in its software and publishing controversial workaround code.

And don't forget Cisco Systems nemesis Michael Lynn, the former Internet Security Systems researcher who now works for Cisco competitor Juniper Networks. Lynn's July 2005 Black Hat conference presentation proved hackers could break into Cisco's Internetwork Operating System and take control of a company's network traffic. That presentation, more than any other software flaw "outing," put the spotlight on software security analyst practices. Lynn, who did his research on IOS as a member of ISS's X-force research arm, infuriated Cisco, which accused him of making its customers' networks more vulnerable. Lynn claimed that he was simply alerting Cisco customers that the unthinkable, a malicious hack into IOS, was possible.

Loose Lips ...

WMF isn't the only run-in Microsoft has had this year with overly ambitious researchers. More recently, Andreas Sandblad, a researcher for Secunia Research, a company that exists solely to find and report software vulnerabilities, discovered a flaw in Internet Explorer that let attackers exploit an error in the Web browser's processing of the "createTextRange()" JavaScript method call that let hackers install keystroke loggers and other malicious software. Secunia discretely warned Microsoft of the problem. However, Microsoft says another researcher publicly posted a warning about the vulnerability before notifying Microsoft, which issued its advisory days later. Microsoft decided to wait until its regularly scheduled April 11 Patch Tuesday to fix the problem, opening the door for another research firm, eEye Digital Security, to issue a patch, though it consulted with Microsoft first.

Just a few days prior to the createTextRange bug's debut, Dutch programmer Jeffrey van der Stad alerted Microsoft to an IE problem related to the way the browser processes HTML applications, or HTA files. Van der Stad had published detailed information about the vulnerability on his Web site but later pared back the information at Microsoft's request.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 6
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
What Comes Next for AWS with Jassy to Become Amazon CEO
Joao-Pierre S. Ruth, Senior Writer,  2/4/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll