When HP’s TippingPoint issued an ultimatum Wednesday to software vendors to fix and reveal to the public software vulnerabilities within six months, Aaron Portnoy, manager of security research at TippingPoint, directed me to a page on the company’s Zero Day Initiative (ZDI) site that lists all the vulnerabilities known to ZDI and to the software vendors but for which a patch hasn’t yet been developed; details of the vulnerabilities are kept under wraps until a patch is available so as not to give hackers a road map to exploiting them.
Although Microsoft software is ubiquitous globally, regularly has to admit glitches in its software and is notorious for buggy software, Microsoft actually came out looking good, at least in the snapshot I found on the site today.
ZDI , which is about to marks its fifth anniversary, currently has 120 vulnerabilities listed as “upcoming advisories,” meaning ZDI and its team of 1,300 freelance researchers have identified those vulnerabilities and alerted the software vendors of them. ZDI treats the identified vulnerabilities as intellectual property and buys them from the researchers, develops protections for TippingPoint’s customers, with such technology as intrusion prevention systems, and simultaneously alerts the software vendor. The bug stays on the list until the vendor develops a patch and reveals it, allowing everyone to apply the patch and protect their systems.
Of those 120 upcoming advisories, only 11 of them are in software made by Microsoft, a tie with HP. Among the software vendors with more vulnerable software on the list than Microsoft are IBM (with 22), Apple (16) and Oracle/Sun Microsystems (14). So Microsoft must be going, “Phew! Well, we dodged that one!”
To be sure, the list changes every week; as software is patched, some vendors drop off the list while others are added, so Microsoft may make up more or fewer of the names on the list over time. Nonetheless, Portnoy says Microsoft is among those software vendors that is certainly part of the problem.
Portnoy’s complaint? (You had to see that coming.): Software vendors are taking too much time to repair vulnerabilities. Whether it’s Apple, HP or Microsoft, six months is way too long for a vulnerability to sit without being fixed by the vendor.
“We think it’s a little irresponsible to sit on a vulnerability for that long. They have some responsibility to their users to fix these in a timely fashion,” said Portnoy, who also blogged about the subject. ““The longer a vendor sits on a vulnerability like that, the more at risk the end user is going to be.”
Hence the six-month deadline. Of the 120 “upcoming advisories” on ZDI’s list, 80 have been on there for at least six months while 31 of them are over a year old. ZDI is cutting the vendors even more slack by starting the six-month calendar again from zero as of Aug. 4. If companies don’t issue a patch, removing them from the list, by the deadline, ZDI will go over their heads directly to their customers to warn them, Portnoy said.
“We are going to publish an advisory detailing the vulnerability with limited details,” he said, so as to give people a heads up that this vulnerability is out there. Then he explained the meaning of “specific details.” “We’re going to expose the fact that there is a vulnerability and we’re going to detail specific parts about it so people can protect themselves from it.”
TippingPoint is also going to share details of the vulnerability with competitors so they can also build defenses. Microsoft responded diplomatically to ZDI’s throw-down, pressing the case for what it is now calling “coordinated vulnerability disclosure.”
“Extensive efforts should be made to make a timely response, and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible,” said Dave Forstrom, director of Microsoft’s Trustworthy Computing initiative, in an e-mail.
Forstrom alluded to other “vulnerability coordinators” that have also imposed deadlines and pledged to ”continue to work with them.”
ZDI’s deadline follows a similar move by Google, which in a July 20 blog post called for a 60-day deadline for vendors to develop patches. The Computer Emergency Response Team imposes a 45-day deadline.
Even though Microsoft looks pretty responsible today with only 11 bugs on the list of 120, even just one bug that goes untreated after so long, and is exploited, will still make for a bad day for Microsoft and its customers even if other vendors are also tardy about fixing bugs.