Brace yourself Windows users – it’s that time of the month again.
The second Tuesday of each month has become known to IT staff around the world as “Patch Tuesday”, for it’s the day when Microsoft releases bundles of security patches designed to close vulnerabilities in its software and operating systems.
With Tuesday June 11th 2013 just around the corner, Microsoft has advised that it will be publishing a total of five bulletins four rated “Important” and one given the highest severity rating of “Critical”. The bulletins are expected to fix a total of 23 vulnerabilities.
Microsoft likes to give advance warning of the security patches it plans to issue, so IT teams can ready themselves and ensure that they have the right resources to roll them out across networks of computers promptly.
Of course, if a security patch is released but *not* distributed at reasonable speed by companies and individuals there is always the risk that a hacker could reverse-engineer the fix and write malicious code to exploit it.
At the time of writing, details of the issues that the security patches are extremely sketchy – all we know is that the critical patch is for Internet Explorer, and the “important” patches address issues in Microsoft Windows and Office.
What we certainly don’t know is whether this round of patches will include a fix for the security hole that Google security engineer Tavis Ormandy controversially publicly disclosed last month, rather than give Microsoft the opportunity to fix it first.
The first obvious question is whether it’s appropriate for a Google security engineer to publicly release details of flaws in software written by Microsoft as one could reasonably assume that the two companies are in competition. :)
Tavis Ormandy would argue that the research he does into Microsoft’s security holes (and those of other vendors) is conducted in his own time, and has nothing to do with his employment at the search giant.
But Tavis Ormandy isn’t just any old security engineer at Google, he’s the co-author of an official Google note about vulnerability disclosure.
That note recommends giving software vendors 60 days to fix critical bugs before publicising them. And yet it appears – on occasions – that their most infamous security engineer isn’t always following that guidance.
Interestingly, just days after Tavis Ormandy’s disclosure of the latest Microsoft security hole, Google published a new note – calling on vendors to take more urgent action (“within 7 days”) when “critical vulnerabilities [are] under active exploitation.”
Although it’s easy to get bogged down in who publicised what security hole when, the key question is this: is it more responsible to privately inform Microsoft and get them to fix the problem in a reasonable timeframe, or to release details to the entire internet that could – potentially – benefit malicious attackers?
This is essentially a religious argument. Some believe full disclosure is a good thing. Others, like me, believe that security researchers should engage responsibly with software firms to get problems fixed.
If the researcher is concerned that the software firm is taking too long to fix a problem, or not taking it seriously, they could always brief a journalist and demo the fault to apply pressure *without* putting users at risk.
In my opinion, vulnerability researchers sometimes need to be realistic about the processes a firm needs to go through to evaluate a vulnerability report, replicate the behaviour, produce a fix, test that the fix does not cause any other problems and incompatibilities and then roll it out to millions of users.
Generally, Microsoft’s security team does an excellent job. Vulnerability researchers should work closely with Microsoft to fix problems responsibly, rather than risking assisting malicious hackers.
Whether Tavis Ormandy’s security hole is fixed on Patch Tuesday or not, I would still recommend users to take every security alert issued by Microsoft seriously – and roll out any patches as appropriate, as quickly as possible.
What do you think about full disclosure versus responsible disclosure? Join the debate by leaving a comment below telling us your thoughts