When is it right to go public with security flaws?
Posted on 27 Jul 2010 at 10:53
Nicole Kobie examines the prickly issue of "responsible" security disclosure
When it comes to security flaws, who should be warned first: users or software vendors?
That debate has been reignited after a spat between Google and Microsoft, and the latter could be about to raise the issue again at this week’s Black Hat conference in Las Vegas.
A tweet from the Microsoft Security Response Centre (MSRC) said: “What is the next logical step for community based defence for [Microsoft]? The answer to be announced at Black Hat USA.”
What is the next logical step for community based defense for Microsoft?
The current round of bickering kicked off last month, when Google researcher Tavis Ormandy discovered a flaw in Windows Support. He passed the details to Microsoft, but took it public within days, saying if he hadn’t published a working exploit, the firm wouldn’t have taken him seriously.
"This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure'), those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers that we need, especially in complex cases like this, where creative thinking and input from experts in multiple disciplines is required to join the dots," Ormandy claimed.
Microsoft wasn’t pleased, and made a point of telling the world exactly how many computers were hacked using the flaw before they could patch it – 25,000, at last count.
While some fellow security researchers agreed with Microsoft, others backed Ormandy, with a few joining forces to create the Microsoft Spurned Researchers Collective, promising to fully disclose all discovered vulnerabilities.
Google eventually waded into the battle, with an open letter – signed by Ormandy – promising support to all researchers who take a flaw public after giving vendors a fair chance to fix it first. Google tried to balance disclosure with a 60-day deadline, putting pressure on vendors while still giving them time to develop patches.
"The emotionally loaded name suggests that it is the most responsible way to conduct vulnerability research - but if we define being responsible as doing whatever it best takes to make end users safer, we will find a disconnect," the post noted.
Coordinated vulnerability disclosure
Microsoft responded with its own idea, saying researchers should work more closely with vendors, and that a deadline wasn’t always reasonable.
It called for the industry to ditch the phrase “responsible disclosure”, saying it suggested full disclosure wasn't responsible, and said the industry should practice “coordinated vulnerability disclosure” instead.
vista registry issues with updates - error 57e
We have had problems with Office updates on Vista SP2 getting repeated error 57e, well documented on the net in that it is something to do with registry update permissions, we resolved this by uninstalling Rapport
By robmar0se on 28 Jul 2010
Share a website with you ,
( http://www.clothes6.us/ )
Believe you will love it.
By linlin1452 on 6 Aug 2010
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on email@example.com
- BBC admits £100 million IT project was a "waste"
- ISPs offer network-level porn filters to dodge "regulatory threats"
- Intel: PC designs "not compelling enough"
- Microsoft reinstates the Start button – on a mouse
- Google considers $1 billion bid for satnav firm Waze
- Hyperoptic extends 1Gbit/sec broadband beyond London
- Lenovo defies PC slump to post 90% profit increase
- Schools warm up to BYOD for tablets
- Xbox One: what it means for Windows PCs
- IBM's Watson answers customers' questions
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software