Bug-hunters say firms ignoring security holes

Experts say companies are failing to respond to security alerts, describing the attitude as "irresponsible"
Written by Will Knight, Contributor

Major software firms may be neglecting security vulnerabilities and putting their users at serious risk, according to bug-hunters at Swedish security firm Defcom. The group says the situation has forced it to consider publicising the details of several exploits which would cause the companies involved severe embarrassment.

Although Defcom says the majority of firms respond quickly to alerts, it claims that at least two large firms have failed to get back to it over a number of months. It is now holding last minute discussions with the firms, but says it is still considering releasing details.

"We have found vulnerabilities in major operating systems," says Thomas Olofsson, chief technical officer with Defcom. "More than one company hasn't responded with anything."

Although bugs in operating systems are not uncommon as security mailing lists like Bugtraq illustrate, they are not usually made public until a company has developed a defence against them.

Olofsson is unwilling at this point to disclose information on the bugs, other than to say they pose a risk to users. "These problems are major bugs that could have a serious effect on a lot of people. It is quite irresponsible."

So what can be done to speed the process up? Paul Ashton senior security architect with US security firm Bindview says its just a matter of PR. "There are two things that determine how long it takes for bugs to get fixed and no company feels an obligation to reduce the risk to customers. It depends on bureaucracy and bad public relations." Ashton argues that while internal bureaucracy will slow down the process, concerns over a bad image will speed it up.

David Litchfield, a well-known bug-hunter with security company @Stake says that while things could be improved many companies do respond to alerts quickly. He agrees, however, that it can be a difficult process to go through because of the sheer volume of reports companies receive. He adds that it is important not to jump the gun, when revealing bugs. "The whole point of advisories is to help customers."

These warnings follow a significant change of stance by US government's Computer Emergency Response Team (CERT). The CERT Co-ordination Centre has changed its policy to give companies just 45 days to fix security vulnerabilities before revealing the problem openly. The shift in policy reflects a fundamental movement within the computer security industry towards a more open attitude toward security issues.

To have your say online click on the TalkBack button and go to the ZDNet News forum.

What do you think? Tell the Mailroom. And read what others have said.

Editorial standards