Industry Group Wants Software Holes Kept Mum

A collection of security companies have formed a group to create

standard policies and guidelines for how information about software

security flaws is distributed and published. Created during a series of

workshops at Microsoft Corp.'s three-day Trusted Computing Forum this

week, one of the proposed guidelines would restrict those who find

flaws in software products from publishing the methodology on how to

exploit those holes for 30 days.

"The main concept is one of acting responsibly with respect to the

disclosure of and fixing of vulnerabilities," said Eddie Schwartz,

senior vice president and chief operating officer for security company

Guardent Inc. "Right now, it's the wild wild west and even well

intentioned people don't know what to do."

The group proposed creating a "grace period" in which companies could

plug any exploits and distribute patches and tools to customers without

fear of any further exploits of the holes. The group will also create a

set of procedures that software makers must follow to ensure that users

are informed about risks and that vulnerabilities are fixed in a timely

manner.

The group was initially backed by six companies, including Microsoft,

which was the first software maker to come on board. It will urge

independent security researchers, as well as major technology companies

like Hewlett-Packard Co. and Sun Microsystems Inc. to join, Schwartz

said. Founding members include @stake Inc., Internet Security Systems

Inc., Bindview Corp. and Foundstone Inc.

The issue is one that Microsoft is close to, as it has recently found

itself responding to security holes discovered in its products. The

company issued a security bulletin Thursday warning that information

about "cookies" in its Internet Explorer 5.5 and 6.0 browsers can be

exposed or altered, making personal information vulnerable.

Craig Mundie, Microsoft's chief technology officer for advanced

strategies, addressed similar security issues during the first day of

the Trusted Computing Forum Tuesday. Mundie went as far as comparing

the malicious coders who have exploited holes in Microsoft's software

to the terrorist cells behind the attacks on the U.S.

"The evolution of hacking is very, very akin to this network of terror

cells," he said at the forum. "And there is the potential to treat them

the way we treat terrorist cells."

Scott Culp, manager of Microsoft's security response center who was

present during the working group, also published an essay earlier this

month criticizing the publication of "exploit code," which allows

computer hackers to take advantage of known vulnerabilities.

"It's high time the security community stopped providing blueprints for

building these weapons," he wrote.

However, one independent programmer who was behind identifying several

high-profile security holes, said he had doubts that the initial

proposal for the industry group will address the core problem behind

malicious attacks on software.

"I'm not sure if any hard and fast guidelines are particularly useful,"

said Marc Slemko, a Seattle-based developer, adding that a 30-day grace

period could backfire and take pressure off software makers to fix

problems quickly and accurately.

"Some don't have a user's best interest in mind," he said.

Earlier this month, Slemko published technical findings of an exploit

he discovered in Microsoft's Passport authentication service three days

after he made Microsoft aware of the problem and two days after it was

fixed. Slemko has a history of airing security flaws including one in

September that he said left Verizon Wireless Inc. vulnerable to

exploits.

"It certainly is true that there are certain individuals that go about

releasing security holes in ways that are not designed in the best

interest of the companies or the users of that software," Slemko

said. "While I don't see any obligation to consider these guidelines

seriously, there are some societal responsibilities to the users of the

products."

Guardent's Schwartz stressed that the proposals from the new group will

also force the software makers to act more responsibly.

"They're going to be under more pressure because they're going to have

reporting requirements to follow," Schwartz said.

Microsoft agreed during the conference that it must be more responsible

to ensure security in its products, he said.

"Obviously, Microsoft has some interest in this -- their customers are

getting beaten up," he said.

Inquiries about the new working group can be directed to Guardent in

Waltham, Massachusetts, at +1-781-577-6500, or online at

http://www.guardent.com/. Microsoft Corp. in Redmond, Washington, can

be reached at +1-425-882-8080, or online at http://www.microsoft.com/.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies