Bug-hunters say security holes go unheeded

Major software firms may be neglecting security vulnerabilities and putting their users at serious risk, according to bug-hunters at Swedish security firm Defcom. The group said the situation has forced it to consider publicizing the details of several exploits, which would cause the companies involved severe embarrassment.

Although Defcom said the majority of firms respond quickly to alerts, it claims that at least two large firms have failed to get back to it over a number of months. It is now holding last minute discussions with the firms, but says it is still considering releasing details.

"We have found vulnerabilities in major operating systems," said Thomas Olofsson, chief technical officer with Defcom. "More than one company hasn't responded with anything."

Although bugs in operating systems are not uncommon as security mailing lists like Bugtraq illustrate, they are not usually made public until a company has developed a defense against them.

Olofsson is unwilling at this point to disclose information on the bugs, other than to say they pose a risk to users. "These problems are major bugs that could have a serious effect on a lot of people. It is quite irresponsible."

Improving the process
So what can be done to speed the process up? Paul Ashton senior security architect with U.S. security firm Bindview said its just a matter of PR. "There are two things that determine how long it takes for bugs to get fixed and no company feels an obligation to reduce the risk to customers. It depends on bureaucracy and bad public relations." Ashton argues that while internal bureaucracy will slow down the process, concerns over a bad image will speed it up.

David Litchfield, a well-known bug-hunter with security company @Stake said that while things could be improved, many companies do respond to alerts quickly. He agrees, however, that it can be a difficult process to go through because of the sheer volume of reports companies receive. He adds that it is important not to jump the gun, when revealing bugs. "The whole point of advisories is to help customers."

These warnings follow a significant change of stance by U.S. government's Computer Emergency Response Team (CERT). The CERT Co-ordination Centre has changed its policy to give companies just 45 days to fix security vulnerabilities before revealing the problem openly. The shift in policy reflects a fundamental movement within the computer security industry towards a more open attitude toward security issues.