CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Patch slipup raises security questions

The questionable handling of a fix for a recent widespread software vulnerability has some administrators worried that developers can't be trusted to make security a top priority.

Read more about security
The questionable handling of a fix for a recent widespread software vulnerability has some administrators worried that developers can't be trusted to make security a top priority.

Last week, the Internet Software Consortium withheld the patch for a critical flaw in the domain name system (DNS) software from a large number of researchers, asking instead that each person send the organization an e-mail request in order to get the fix. The software, known as the Berkeley Internet Name Domain (BIND) program, performs a critical function as the address book for the Net.

The delay, coupled with messages sent to several administrators urging them to pay to become part of an early-warning group run by the ISC, has some security experts worried that security is taking a backseat to secrecy and money.

"It's a concern, especially with the Digital Millennium Copyright Act being used by some companies to threaten researchers," said Greg Shipley, chief technology officer of security consultancy Neohapsis. "The bottom line is the industry cannot agree on a responsible disclosure process, and the community and the Internet at large suffer."

For the past two years, Richard Clarke, special presidential adviser for cybersecurity, has expounded on the need for software companies and developers to understand that the country's national security could rely on how responsibly software vulnerabilities, and their fixes, are handled.

The ISC's flub is the latest incident to call into question whether software companies, security researchers, and open-source development groups can be relied on to responsibly handle the vulnerabilities found in the software that forms the foundation of the Internet.

Earlier this year, Hewlett-Packard threatened a researcher with a lawsuit under the DMCA. The pro-copyright law has been used against security analysts who claim they're performing a public service when they discover ways to circumvent security measures and then make the risks known. And last month, unknown attackers unleashed a flood of data at a key group of DNS servers, known as root servers, raising the specter of an all-out Internet collapse.

Those incidents make it plain that key components rely on the judgment of computer experts and code slingers with widely varying agendas. The delays in delivering a patch for the bug in BIND spotlight the problem.

Evaluation or solicitation?
When security researchers announced that they had found new flaws in key Internet software last week, network administrators rushed to download the patches. However, the fixes for the software weren't available.

Instead, the ISC--the maker of the most popular domain name system (DNS) software on the Internet--required that people who weren't part of the organization's early-warning group e-mail ISC for the patches. Because servers that run DNS software act as the address book of the Net, thousands of Internet service providers and companies were interested in getting the software fix.

However, rather than replying to e-mail requests sending the patch along, the ISC used the opportunity to solicit members for its paid support service, said Marc Maiffret, chief hacking officer for eEye Digital Security, a vulnerability assessment company.

"They basically responded that they wouldn't make it available until the weekend, and then they said they had an early warning service and you have to pay money for that," Maiffret said.

Maiffret eventually had to resort to using his network of friends to get a copy of the patch. Other security professionals complained that they weren't able to get a copy of the patch until the ISC relented and published it to its Web site Wednesday night.

Lynda McGinley, executive director for the ISC, said the group tried to act responsibly.

"Our intention was to get the information to the right people," McGinley said. But she said the plan to evaluate potential recipients via e-mail didn't work out. "This is not the best way to do it. That's very obvious," McGinley said.

Class struggle
Several have questioned the group's motives in this latest slipup. In February 2001, the ISC announced it would be creating a new group, called the BIND Forum, whose members would receive advanced notice of some problems. At the time, the consortium dismissed fears that the forum meant that BIND users were being divided into first- and second-class citizens.

"There will be no special privilege level of information for this group," Paul Vixie, chairman of the ISC, said at the time. "Anything learned by the group will be absolutely learned by all the members."

Angry network administrators and security experts disputed that notion.

"They deliberately withheld these patches," said Michael Brennen, president of , a boutique Internet service provider. "There are no other explanations. They knew what they were doing."

Brennen, who runs a handful of BIND servers for his ISP as well as for his clients, said he got a message back from McGinley soon after he sent an e-mail to her on Tuesday. The message said that he was on a list to get patches but gave no other information. When he asked for more information, she replied that Brennen might want to become part of the BIND Forum.

Delays in notification also hurt the response times of groups whose role are to protect the critical functions of the Internet.

The Computer Emergency Response Team Coordination Center at Carnegie Mellon University, the clearinghouse for much of the software-vulnerability information released on the Internet, didn't have much time to respond to the issue, said Martin Lindner, team leader for CERT.

"We would have liked more time," Lindner said. "We would like to give the vendors as much time as possible."

Lindner added that CERT contacted all the Linux distribution groups--companies such as Red Hat and SuSE and organizations such as Debian--as soon as they had information. Yet, according to statements by those groups, CERT only issued information 12 hours before the flaws were made public. As a result, none of the Linux sellers had a patch ready when the company that originally found the flaw, Internet Security Systems, made the issue public.

Neohapsis' Shipley said the ISC's response could also affect the uneasy truce between those who find flaws and the companies who make the software that's being investigated. Security researchers typically want to make vulnerabilities public immediately.

The software makers would rather not publicize the holes in their products at all, but at the very least, they'd like time to prepare patches before the flaws are made known. The two groups have been trying to reach a compromise, and the ISC's blunder sets a bad example, Shipley said.

"Microsoft and Sun have refined policies around this stuff, but then you have the newcomers who are just learning to handle these things, and they are making some bad choices," Shipley said. "The BIND guys are veteran players. They have been around the space for a long time. I hope it's just a bad judgment call."