Proactive security: The only responsible way to go

Last month, Google's security team sent a message to the Internet security community:  we need to redefine responsible disclosure.  The current method of reporting security vulnerabilities is outdated and too slow.

Responsible disclosure, in its current form, requires that security vulnerabilities are reported privately to vendors first, allowing them time to research the problem and find a solution.

In theory, the current method is designed to lessen the chances that the vulnerability will be exploited by not revealing it publicly. 

Google claims the opposite is true.  Software vendors "research" indefinitely, to put off costly patching of their products.  This leaves the vulnerabilities open to exploitation, which Google calls "irresponsible."

Software vendors and some security experts argue that following responsible disclosure protects end users by keeping vulnerabilities secret until they can be fixed, which can take time. 

Recent revelations of vulnerabilities in multiple Windows applications illustrate both sides of the issue.  Last week, Rapid7's HD Moore reported on 40 Windows applications featuring critical vulnerabilities. 

The same bugs were then reported in over 200 Windows apps by Slovenian security firm Acros and researcher Taeho Kwon, both of whom claimed to have been studying the bugs for months.  Kwon said he reported them to Microsoft in March. 

This week, Microsoft responded, by issuing a protective tool.  However, the tools is not available as an automatic update, nor has Microsoft identified the apps in question.    

Because the vulnerabilities lie within applications, any attempt to patch Windows might render vulnerable apps useless.  To fix each individually will take time and money.

In the meantime, hackers now know of the vulnerabilities, leaving users at risk.

It's impossible to say whether keeping the Microsoft vulnerabilities completely under wraps would have left any end user more or less secure.  However, the fact remains that these vulnerabilities and others are out there, whether end users are informed or not. 

To remain properly protected, against all threats, users must be responsible for themselves. 

• Be proactive -- Users must understand that security is their responsibility as well. Stay informed and up-to-date on security issues, be prepared to take quick action, and be involved in securing your system. Simply leaving your security in the hands of others is akin to expecting your front door to lock itself.
• Update -- Many of the programs recently in question may have already been patched by software updates. Protect yourself from exploitation by ensuring that all of your programs, particularly those that are used in conjunction with the Internet, are updated to their latest versions, and any emergency security patches are installed. Don't rely on automatic downloads. Seek out tools such as the one released this week by Microsoft to ensure top notch protection.
• Use caution and observation -- With unknown threats lurking, extra caution is always prudent. Following common Internet security practices may not be enough. Employ extreme caution and a healthy dose of skepticism whenever you download or install anything, and be especially observant of any changes or issues with your system.
• Don't hesitate -- The exploitation of these sorts of vulnerabilities can cause serious damage or take complete control of a computer. At the first sign of a problem, disconnect any network connections and seek professional computer support immediately. Quick action may prevent more significant damage to your computer and your wallet.
• Be heard -- The software vendors and researchers debating responsible disclosure are supposed to help keep you safe. So, no matter which side of the debate you fall on, let your voice be heard. It's your security, and your input matters.

There's likely no end in sight to the debate over responsible disclosure.  But there is no debate that security is everyone's responsibility, including ours.  Be proactive and don't rely on researchers or vendors to keep you safe. 

David A. Milman, Founder and CEO of Rescuecom