Monday, June 18, 2007

Security Flaw Announcements - The Wrong Way Of Doing The Right Thing

By Coenraad De Beer

The latest security flaws in the world of software are always popular topics for online discussions, newsletters and articles. Discovering the latest security flaw in a popular application is still the most favourite pastime for many freelance journalists and technical gurus. The problem does not lie in the disclosure of the flaws as such, the problem lies in the approach towards the disclosure as well as the timing of the disclosure.

Security flaw announcements have grown into a very popular electronic sport. It is a constant race against time to become the first one to announce the latest flaws found in the most famous software applications. Rival users of similar products are often in competition with each other to prove which application is the most secure. It is often a case of throwing mud at each other, instead of taking the safety of other users into consideration.

Do non-technical users sign up for technical newsletters, do they read technical blogs or do they take part in technical discussions? Many of them don't, it is in most cases only technical people discussing these matters and reading the technical newsletters. Most people are only interested in using the software and do not care about taking part in a forum discussion about the latest security flaw in the software. This is the point I'm trying to make, if your goal is the safety of other users, who do you want to save when your forum post or article never reaches the audience who needs the information the most? Even if you reach the right people, what's the use of announcing a flaw if you can't provide a safe and solid solution to the problem? What do you want people to do when a severe virus is raging on the Web, a virus for which there is no fix at that specific time? Do you think everyone will suddenly stop using the Internet because of your useless information? You are only giving the flaw unnecessary publicity, exposing each user of the software to even greater exploits.

The animated cursor flaw of Internet Explorer is a good example where there was no solid solution to the problem when it became a known threat. At least most people suggested that Internet Explorer users switch to Firefox, but every coin has two sides. The flaws of Internet Explorer proved once again that there is ample reason to switch to a safer alternative like Firefox, but we all know how reluctant most Internet users are to switch to a new browser. Yet again, if people do not want to listen to good advice, let them burn their fingers. Unfortunately this flaw resulted in debates about which browser has the most flaws, its like arguing about whose car is the fastest if there is no road to drive it on. Switching to a safer browser will not disinfect a PC already infected with a virus. After all, what's the use of having the safest browser in the world if you can't even get it to run on an infected PC?

Software developers should provide proper channels through which users can report flaws and more importantly, companies should act promptly on these reports. It is because of the poor response from major companies, that people start to seek alternative methods, out of frustration with their hear-no-evil, see-no-evil approach. A while ago I discovered a severe flaw in a very popular free anti-virus application, but the only channel through which I could discuss problems surrounding the free version, was through their online forum. This means you seldom talk to the actual developers or employees of the company, only forum moderators and members. I understand and I have experienced these frustrations, if there is no one you can talk to about a serious problem surrounding their software, who on earth do you turn to?

There is a huge difference between the announcement of a security flaw and the announcement of a patch to fix a flaw. If you can't provide a proper workaround for the problem, if you are unable to tell someone who can do something about it, keep it to yourself. Announcing security flaws without contributing to the solution is like someone announcing the release of poisonous gas into the air and instead of handing out gasmasks, he suggests that everyone hold their breath until the gas is gone.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and raising awareness about online scams and malicious software.

No comments: