News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Martin McKeay's picture
Martin McKeay

Security Matters

More posts | Read bio

August 23, 2006 - 9:03 A.M.

Responsible Disclosure: eEye vs. Microsoft

11 comments

I've made no secret of the fact that I'm not the biggest fan of the practice of 'responsible disclosure' , at least the version where the vendor has all the control and can cry foul whenever a researcher discloses anything.  I believe that Microsoft and other vendors use responsible disclosure as a shield to prevent researchers from notifying the public about vulnerabilities and keep everything running on the vendor's schedule.  Apparently this is exactly what is happening in a dispute over a vulnerability introduced by a patch earlier this month from Microsoft, MS06-042.  This Internet Explorer patch fixed a large number of vulnerabilities, some published by Microsoft, some fixed without notifying the public, while it also created a new vulnerability that could crash IE 6 and allow a malicious web site to execute arbitrary code on the target computer.  eEye discovered the vulnerability , notified Microsoft and sat back to wait for a patch.  The patch was apparently ready several days ago and was supposed to be released yesterday, but was apparently delayed due to problems with the patch and SMS.  Not a problem with the patch, just a problem with how it's being distributed to big businesses.

eEye has taken exception to the process , and, predictably, Microsoft has cried foul and is saying eEye is not practicing responsible disclosure .  My friend, Alan Shimel, also had to chime in with his own opinions on the subject.   Alan and I have disagreed on this subject before, but I think the core of our argument is well illustrated by the issue between Microsoft andeEye :  the problem is not with the concept of responsible disclosure, it's with whose definition of responsible disclosure you use.  According to eEye, they've practiced responsible disclosure by notifying Microsoft, waiting an appropriate amount of time before notifying the public and not disclosing the specifics of the vulnerabilities.  According to Microsoft, eEye has not practiced responsible disclosure because eEye isn't waiting for Microsoft to have all of their ducks in a row and is proceeding despite the fact Microsoft is having problems with their distribution system.

You might be able to guess which side of this argument I'm on.

One aspect of this argument that I find interesting is that Microsoft has actually released more details of the vulnerability and how it's exploited than eEye has.  On their site, eEye states that the vulnerability exists, but then points to Microsoft's pages for details on how to mitigate the vulnerability, which is where the bulk of the information exists.  A malicious coder is going to get more milage out of reading Microsoft's site than they ever will out of reading what eEye has disclosed.  So who's practicing responsible disclosure here?

I like the concept of responsible disclosure, I just believe that the software vendors have too much of a stake in the process to be the ones who call the shots.  I'm not trying to pick on Microsoft, they just happen to be the latest, highest profile example; even eEye is saying Microsoft has improved their disclosure process in the last several years.  But vendors definitely have a vested interest in the process and shouldn't be the ones who get to define responsible disclosure. eEye might not be the best ones to define it either, since they also have interests of their own in publicizing vulnerabilities.  The ideal thing would be to have a group like the IEEE define and manage the process, but even they haven't been able to get a handle on disclosure, mostly because of internal politics.  So I guess the debate will continue and each party is going to have to define responsible disclosure on their own terms.

What People Are Saying

Add new comment

Are you kidding me? First

Submitted by Kris on August 25, 2006 - 10:47 A.M.

Are you kidding me? First off Microsoft is cracked. Not long ago there was an article that stated that Microsoft would now focus more on fixing it software and handling of user complaints. In the old days (and not much has changed) it would be months before they would even acknowledge an issue. Seems like not much has changed. And one would think that with a company that has been around as long as Microsoft it'd be easier for them to acknowledge that they sell buggy software. If you think I’m wrong about how buggy their software is, name one Microsoft Windows version that didn’t need some kind of patch before you got it out of the box. The Internet Explorer browser is another good example of things that don’t seem to get better.

They find a vulnerability or two, fix those with a patch that creates even more. This also happened not too long ago which sent a panic through the Netting community and actually help Mozilla out.

The thing that I find so fascinating these days is that so many people are willing to pay so much for so little. With Microsoft you’re just paying for a name and ending up with crap. Why waste the time, energy, headache, and money? Go with Linux, go with Mozilla or Mozilla Firefox, and go back to Microsoft when they have their head out of their… and are no longer pouting like little babies complaining about how wrong it is that someone told on them after they had burned down the house. I’m more inclined to want know why the house is messed up and grateful at least someone was responsible enough to informing me.

Report this comment

Well, I work for a large

Submitted by Anonymous on August 25, 2006 - 8:52 A.M.

Well, I work for a large company that was directly impacted by this patch. I will certainly give you my two cents. If it's worth that. Microsoft has a problem with communication. Internal and externally with it customers. They are bordering on irresponsible behavior. Bottom line because of this major problem I'm changing our software standards and being more open to open source products. I feel Microsoft took it in the teeth with this patch and it will cost them in the future.

Report this comment

"Microsoft has a problem

Submitted by Anonymous on August 27, 2006 - 9:37 A.M.

"Microsoft has a problem with communication. Internal and externally with it customers. They are bordering on irresponsible behavior."

I agree with you totally! They communicate the minimal amount to keep people of their backs.

To paraphrase Bruce Schneier, no system can be secure without an element of human trust... Do you trust Microsoft? I don't for a New York second or as far as I can spit.

I work on the CERT team for a very large company, and some of my co-workers were starting to use the MS Security Response Center as a valid reference! Over my dead body! (and I previously was a Microsoft employee, so I know how they operate internally)

Report this comment

The true question becomes,

Submitted by David on August 24, 2006 - 10:02 P.M.

The true question becomes, who would you rather find vulnerabilities first. The person who wants to steal as much as possible from you, or the person you pay to keep them from doing it?

Fact, Microsoft released a patch that was flawed. Why does anyone care who tells everyone first?

Complaining about Eeye's actions means you should be complaining about Symantec’s, Trend’s or MacAfee’s as well.

Comments about Eeye doing this for the money seem stupid given the fact Microsoft often releases problem riddled software which costs money!!

Think about it..........

Report this comment

Okay, so there's the vendor

Submitted by Frank Oswalt on August 24, 2006 - 1:56 A.M.

Okay, so there's the vendor and there's the person who discovers a vulnerability, and neither of them should get to define "responsibility", lest they define it in a way that serves their own interest. But there is also the customer who -- by using the product as intended by the vendor -- puts himself at risk unknowingly. I think it's pretty clear how the customer would define "responsibility": if there is a vulnerability, tell us about it. Immediately. Vendor, researcher, business rival -- we don't really care. Then you can continue to quibble about "responsible disclosure".

Report this comment

Microsoft hides so much crap

Submitted by Anonymous on August 24, 2006 - 1:39 A.M.

Microsoft hides so much crap and has ability to monitor anything you do, as secure as you think you are. They basically own you if you use a computer running their OS. If you didn't know that, then it's likely Microsoft isn't the only one watching you.

Report this comment

As Martin mentioned, I have

Submitted by Alan Shimel on August 23, 2006 - 7:12 P.M.

As Martin mentioned, I have blogged on this. Since then Ross Brown of eEye has commented and I have responded. Fundamentally, I agree with Martin, who gets to define responsible, in responsible disclosure. From a practical prospective the fact is if eEye did not "under embargo" disclose to the press they would not have been under the gun to make sure MS released this patch today and not tomorrow. Also, for them to say they did this to protect their customers and not to sell more product and toot their horn is just not credible.

Report this comment

I agree with everbody here.

Submitted by bdh734 on August 23, 2006 - 4:29 P.M.

I agree with everbody here. I recieved several email's from eEye saying that Microsoft this, and Microsoft that. Boo Woo! Then at the same time they try to sell a product. "We've got a work-around. Buy this and all your problems are fixed." I feel that they try to find exploits just to sell a product. Hey eEye, we are not dumb here. And I really don't think that eEye gave MS proper notice as they say. Yes we all would would love to have a network free from vulnerabilities. I quote Sir Dystic (Cult of a Dead Cow), "Everybody thought that the internet was going to be safe and people were going to play fair, Why would you think that?

Report this comment

One of the things that's

Submitted by Ryan Permeh on August 23, 2006 - 4:10 P.M.

One of the things that's quickly overlooked in the how's and why's of responsible (or irresponsible) disclosure is that ALL of the risk associated with a vulnerability falls on the vendor. It's their bug, it's their responsibility to fix. Without the bug, the disclosure argument is moot. Also, before it was ever disclosed (perhaps even to the vendor), it was still a bug, with risk associated with it. Just because YOU didn't know about it does not mean ANYONE didn't.

Would you cry foul to the guy who found that asbestos caused cancer? It had the potential to cause cancer from the very first time it was installed, but people blindly kept using it until the linkage was discovered. Does this guy get a bad rap for putting the asbestos factories on the chopping block?

Disclaimer: I am employed at eEye, but these comments are my own. Take them as you will.

Report this comment

Let’s see, what is the

Submitted by Anonymous on August 23, 2006 - 1:16 P.M.

Let’s see, what is the motivation for eEye to notify the public? Money!
eEye you make it sound like you are all on the public side and shame on Microsoft but that position does not hold water when you have a vested interest in finding vulnerabilities in the first place to sell your own products.

I am not going to run out and buy your product because you can beat Microsoft announcing something before Microsoft has a fix. You all need to be team players and if sitting on your hands is what’s required then you do so.

Report this comment

Related Posts

Microsoft: XP is far more vulnerable than Vista, Windows 7
Microsoft Security Essentials: Free is great, but is it effective?
Security pro: Snow Leopard is less secure than Vista, Windows 7
How to save the Internet from Windows

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
First iPhone worm spreads Rick Astley wallpaper
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
First take: Apple's new MacBook offers sleek style, solid performance
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.