Forcing vendors to fix bugs under deadline
New bug-fixing deadline for software makers will mean quicker turnaround time on releasing security patches and better protection for consumers and corporations, experts say.
In October 2006, security researcher H.D. Moore discovered a serious problem with the way applications running on Windows display rich text content.
He reported the vulnerability to Microsoft and nearly four years later it's still not fixed, despite the fact that it could be exploited to run malicious code on a PC and take control of it.
Unfortunately, this is not an isolated incident. According to the Zero Day Initiative, which serves as a broker between security researchers who find flaws and software companies who need to fix them, there are 122 outstanding vulnerabilities that have been reported to vendors and which have not been patched yet. The oldest on the list was reported to IBM in May 2007 and more than 30 of the outstanding vulnerabilities are older than a year.
But a new policy announced Wednesday by TippingPoint, which runs the Zero Day Initiative, is expected to change this situation and push software vendors to move more quickly in fixing the flaws.
Vendors will now have six months to fix vulnerabilities, after which time the Zero Day Initiative will release limited details on the vulnerability, along with mitigation information so organizations and consumers who are at risk from the hole can protect themselves.
"There is a large quantity of bugs that have gone unpatched for a long time," said Aaron Portnoy, manager of security research at TippingPoint, which is owned by Hewlett-Packard.
Retroactive deadline
The deadline will apply retroactively so all currently outstanding vulnerabilities--regardless of when they were submitted--will have to be patched by February, a TippingPoint spokeswoman said.
"That's awesome," security researcher Dino Dai Zovi said when told about the Zero Day Initiative deadline news.
"A number of high-profile attacks in the past year have used exploits that had been known by the vendors and had been in the queue to be fixed," he said. "Decreasing the amount of time from when the vulnerability is discovered to when it is patched will shrink the window when other people may discover the vulnerability and take advantage of it."
Vendors can request an extension and it will be granted on a case-by-case basis, Portnoy said. The group will share e-mails TippingPoint and vendors exchange when an extension is requested so the community can see why the vendor needs more time, he said.
"We understand some vulnerabilities will take longer to patch," he said. "We're hoping for a quicker turnaround time."
The lack of a deadline fostered a vulnerability-disclosure environment that was ripe for abuse. Security experts accuse vendors of dragging their feet on fixes. That leaves computer users at risk for attack by unscrupulous hackers who may have discovered the hole on their own and are able to exploit it without anyone knowing, security researchers say.
Giving burglars the keys?
Vendors complain that releasing information to the public on vulnerabilities before a patch is available is akin to giving a burglar the keys to the house. But if computer users know about the risk then they can protect themselves with workarounds and other fixes, researchers argue.
"I think vendors were stretching things out quite a bit," said Chris Wysopal, chief technology officer at Veracode. "We reported a bug to a vendor, a simple cross-site scripting bug, and now its been four months and we're still waiting for them to fix it. I think vendors sometimes take liberties if there is no pressure put on them."
The debate came to a head recently when a researcher at Google publicly disclosed a Windows XP-related flaw and released code to exploit it five days after reporting it to Microsoft. Within days of the disclosure, there were attacks discovered that exploited the hole. Microsoft has since fixed the hole.
"I would like to point out that if I had reported (the issue) without a working exploit, I would have been ignored," Tavis Ormandy wrote in his post to the Full Disclosure e-mail list in June, adding that he was acting as an independent agent and not as a Google employee.
Microsoft and a few other researchers criticized Ormandy for being hasty in his disclosure, but his move was praised by numerous other researchers tired of waiting for patches that seem to take forever to come.
Google, which distanced itself from Ormandy's actions and the debate at the time, released a blog post addressing the disclosure issue a few weeks ago that was signed by Ormandy and others on the security team. The post suggested that 60 days is a reasonable time frame for vendors to fix critical holes.
"We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts," the Google post said. "Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, this small tweak to the rules of engagement will result in greater overall safety for users of the Internet."
Microsoft responded with a blog post of its own that did not suggest a timeframe for fixes.
Asked for his thoughts on Google's proposed 60-day deadline, Mike Reavey, director of the Microsoft Security Response Center, said "I don't think there is a one size (fits all) for deadlines for fixing vulnerabilities in products."
Magic number
Dai Zovi and other researchers contacted by CNET said six months is plenty of time for vendors to fix most issues, and it provides more time than the U.S.-CERT (Computer Emergency Response Team) deadline of 45 days.
"It's hard to say what the magic number is," said Charlie Miller, principal analyst at Independent Security Evaluators. "Tavis reported a bug to Microsoft and wanted them to agree to patch within 60 days and they refused so he released it. So, if everyone can agree on a timeline (the industry) will benefit."
A Google spokesman said the company had no comment beyond the earlier blog post, and Ormandy was not available to comment.
Dave Forstrom, director of Microsoft's Trustworthy Computing Group provided this statement from Microsoft: "Many vulnerability coordinators have established timelines for disclosure and as always, we'll continue to work with them to in a way that minimizes customer risk. Microsoft advocates for coordinated vulnerability disclosure, where vendors and finders work together closely toward a resolution. Extensive efforts should be made to make a timely response, and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible."
When asked about the Zero Day Initiative deadline for patches, Moore, the researcher who has been waiting nearly four years for Microsoft to patch a hole he discovered, said: "It's about time."
"For too many years, vendors have been pressuring researchers and research organizations to withhold vulnerability information until the patch is released," said Moore, who is chief security architect at Rapid7 and founder of the open-source Metasploit exploit database, which is used for penetration testing of software, networks, and Web sites.
"Personally, I'd like to see a shorter deadline," he said, "but this is a good compromise."